Computer Hope
Software => Computer viruses and spyware => Topic started by: punky on February 01, 2010, 03:39:32 PM
-
thank you in advance for your help!
[Saving space, attachment deleted by admin]
-
Please visit this webpage for a tutorial on downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
See the area: Using ComboFix, and when done, post the log back here.
-
thanks for helping me...here yougo!
[Saving space, attachment deleted by admin]
-
Please download Cheetah-Anti-Rogue (http://hmoslabs.webs.com/Cheetah-Anti-Rogue.zip), and save to your Desktop.
- Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
- Double-click on Cheetah-Anti-Rogue.cmd to start.
- It will finish quickly and launch a log.
- Post the contents of it in your next reply.
===
Please download the latest version of Kaspersky GetSystemInfo (GSI) from Kaspersky (http://telecharger.kaspersky.fr/GSI/GetSystemInfo.exe) and save it to your Desktop.
(http://www.spywareinfoforum.com/style_images/ip.boardpr/folder_post_icons/icon13.gif) Please close all other applications running on your system.
Please double click GetSystemInfo.exe to open it.
Click the Settings button.(http://i40.tinypic.com/2hd457o.gif)
(http://i41.tinypic.com/34gul1w.gif)
Set it to Maximum
(http://i41.tinypic.com/2n9gldh.gif)
(http://www.spywareinfoforum.com/style_images/ip.boardpr/folder_post_icons/icon13.gif) IMPORTANT! Then please click Customize - choose Driver / Ports tab and uncheck Scan Ports.
Click Create Report to run it.(http://i44.tinypic.com/2ekm73m.gif)
It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your Desktop. Please upload the folder to Kaspersky GSI Parser (http://www.getsysteminfo.com) and click the Submit button.
Please copy and paste the url of the GSI Parser report (not the log) in your next reply.
-
here you go
[Saving space, attachment deleted by admin]
-
heres the GSI parser URL
http://www.getsysteminfo.com/read.php?file=4e4c894ae5800dce43b32955ddd3d175
-
Open a run line by clicking start -> run
Copy and paste the following bolded text into the Open: box and click OK
cmd /k cd\ && dir c:\atapi.sys /a /s > atapi.txt && notepad atapi.txt
Paste back the contents of the atapi.txt
===
-
Volume in drive C has no label.
Volume Serial Number is 00CF-C567
Directory of c:\WINDOWS\ServicePackFiles\i386
04/13/2008 02:40 PM 96,512 atapi.sys
1 File(s) 96,512 bytes
Directory of c:\WINDOWS\system32\drivers
01/31/2010 10:19 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386
08/04/2004 08:00 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Directory of c:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386
08/03/2004 10:59 PM 95,360 atapi.sys
1 File(s) 95,360 bytes
Total Files Listed:
4 File(s) 382,592 bytes
0 Dir(s) 33,185,346,048 bytes free
-
Jotti File Submission:
- Please go to Jotti's malware scan (http://virusscan.jotti.org/)
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\SYSTEM32\drivers\atapi.sys
- Click on the submit button
- Please post the results (URL) in your next reply.
NOTE: re-scan the file. Please do not get a past result.
-
says it found nothing ???
http://virusscan.jotti.org/en/scanresult/875c16c3403d418b84e6bb5e79d2de57524f8e1f
i keep getting a redirect called Searchclick8
-
Please download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double-click gmer.exe. The program will begin to run.
**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!
If possible rootkit activity is found, you will be asked if you would like to perform a full scan.- Click NO
- In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
- Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
- Click OK.
- GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
- Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
-
i just ran GMER and it ended then shut down the PC....when the PC rebooted, after the MICROSOFT WINDOWS XP page , it went to a black screen and would not move to the page where I enter my password....so I restarted it and was able to get thru...I Rerun GMER and i get the blue screen of death, and it shuts the PC again....now what?
-
It's being blocked by a rootkit.
Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.
@echo off
Copy /y gmer.exe ark.exe
Start ark.exe
Save it into the gmer folder as File name: ark.cmd
Save as type: All Files
Once done, double click ark.cmd to run it.
This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.
-
still didnt work....same thing....runs for awhile, blue screen reboot, then Microsoft popup "The system has recovered from a serious error"
heres the data of the error
BCCode : 10000050 BCP1 : E4C84000 BCP2 : 00000000 BCP3 : B6F79C3E
BCP4 : 00000001 OSVer : 5_1_2600 SP : 3_0 Product : 256_1
-
Oh ok...
Download this << file >> (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) & extract TDSSKiller.exe onto your Desktop
Then create this batch file to be placed next to TDSSKiller
=====
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this: (http://i266.photobucket.com/albums/ii277/sUBs_/bat_icon.gif)
Double click on fix.bat & allow it to run
Post back to tell me what it says
-
16:31:37:218 3128 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:31:37:218 3128 ================================================================================
16:31:37:218 3128 SystemInfo:
16:31:37:218 3128 OS Version: 5.1.2600 ServicePack: 3.0
16:31:37:218 3128 Product type: Workstation
16:31:37:218 3128 ComputerName: BOOBOO
16:31:37:218 3128 UserName: tony
16:31:37:218 3128 Windows directory: C:\WINDOWS
16:31:37:218 3128 Processor architecture: Intel x86
16:31:37:218 3128 Number of processors: 2
16:31:37:218 3128 Page size: 0x1000
16:31:37:218 3128 Boot type: Normal boot
16:31:37:218 3128 ================================================================================
16:31:37:234 3128 UnloadDriverW: NtUnloadDriver error 2
16:31:37:234 3128 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:31:37:234 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:31:37:234 3128 UtilityInit: KLMD drop and load success
16:31:37:234 3128 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:31:37:234 3128 UtilityInit: KLMD open success
16:31:37:234 3128 UtilityInit: Initialize success
16:31:37:234 3128
16:31:37:234 3128 Scanning Services ...
16:31:37:234 3128 CreateRegParser: Registry parser init started
16:31:37:234 3128 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
16:31:37:234 3128 CreateRegParser: DisableWow64Redirection error
16:31:37:234 3128 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:31:37:234 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
16:31:37:234 3128 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:31:37:234 3128 wfopen_ex: Trying to KLMD file open
16:31:37:234 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
16:31:37:234 3128 wfopen_ex: File opened ok (Flags 2)
16:31:37:234 3128 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 394970
16:31:37:234 3128 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:31:37:234 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
16:31:37:234 3128 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:31:37:234 3128 wfopen_ex: Trying to KLMD file open
16:31:37:234 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
16:31:37:234 3128 wfopen_ex: File opened ok (Flags 2)
16:31:37:234 3128 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 394A18
16:31:37:234 3128 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
16:31:37:234 3128 CreateRegParser: EnableWow64Redirection error
16:31:37:234 3128 CreateRegParser: RegParser init completed
16:31:37:671 3128 GetAdvancedServicesInfo: Raw services enum returned 376 services
16:31:37:687 3128 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:31:37:687 3128 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:31:37:687 3128
16:31:37:687 3128 Scanning Kernel memory ...
16:31:37:687 3128 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:31:37:687 3128 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8714C348
16:31:37:687 3128 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
16:31:37:687 3128
16:31:37:687 3128 DetectCureTDL3: DEVICE_OBJECT: 871DF958
16:31:37:687 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 871DF958
16:31:37:687 3128 KLMD_ReadMem: Trying to ReadMemory 0x871DF958[0x38]
16:31:37:687 3128 DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:687 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:687 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:687 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:687 3128 DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:687 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:687 3128 DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:687 3128 DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:687 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:687 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:687 3128 DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:687 3128 DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:687 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:687 3128 DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:687 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:687 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:687 3128 TDL3_FileDetect: Processing driver: Disk
16:31:37:687 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:687 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 87148C68
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87148C68
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x87148C68[0x38]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:703 3128 DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:703 3128 DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:703 3128 DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:703 3128 DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:703 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128 TDL3_FileDetect: Processing driver: Disk
16:31:37:703 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 871E76F8
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 871E76F8
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x871E76F8[0x38]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT: 8714C348
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714C348[0xA8]
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18BC8B8[0x18]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
16:31:37:703 3128 DetectCureTDL3: IrpHandler (0) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (2) addr: F75C2BB0
16:31:37:703 3128 DetectCureTDL3: IrpHandler (3) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (4) addr: F75BCD1F
16:31:37:703 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (9) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (14) addr: F75BD3BB
16:31:37:703 3128 DetectCureTDL3: IrpHandler (15) addr: F75C0F28
16:31:37:703 3128 DetectCureTDL3: IrpHandler (16) addr: F75BD2E2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (22) addr: F75BEC82
16:31:37:703 3128 DetectCureTDL3: IrpHandler (23) addr: F75C399E
16:31:37:703 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128 TDL3_FileDetect: Processing driver: Disk
16:31:37:703 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
16:31:37:703 3128 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
16:31:37:703 3128
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 870D9AB8
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870D9AB8
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 870EC9E8
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 870EC9E8
16:31:37:703 3128 DetectCureTDL3: DEVICE_OBJECT: 87148940
16:31:37:703 3128 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87148940
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x87148940[0x38]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT: 8714BF38
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0x8714BF38[0xA8]
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xE18B6968[0x1A]
16:31:37:703 3128 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:31:37:703 3128 DetectCureTDL3: IrpHandler (0) addr: F73C96F2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (1) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (2) addr: F73C96F2
16:31:37:703 3128 DetectCureTDL3: IrpHandler (3) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (4) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (5) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (6) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (7) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (8) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (9) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (10) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (11) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (12) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (13) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (14) addr: F73C9712
16:31:37:703 3128 DetectCureTDL3: IrpHandler (15) addr: F73C5852
16:31:37:703 3128 DetectCureTDL3: IrpHandler (16) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (17) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (18) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (19) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (20) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (21) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (22) addr: F73C973C
16:31:37:703 3128 DetectCureTDL3: IrpHandler (23) addr: F73D0336
16:31:37:703 3128 DetectCureTDL3: IrpHandler (24) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (25) addr: 804F4562
16:31:37:703 3128 DetectCureTDL3: IrpHandler (26) addr: 804F4562
16:31:37:703 3128 KLMD_ReadMem: Trying to ReadMemory 0xF73C6864[0x400]
16:31:37:703 3128 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
16:31:37:703 3128 TDL3_FileDetect: Processing driver: atapi
16:31:37:703 3128 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
16:31:37:703 3128 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\atapi.sys
16:31:37:734 3128 TDL3_FileDetect: C:\WINDOWS\system32\drivers\atapi.sys - Verdict: Clean
16:31:37:734 3128
16:31:37:734 3128 Completed
16:31:37:734 3128
16:31:37:734 3128 Results:
16:31:37:734 3128 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:31:37:734 3128 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:31:37:734 3128 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:31:37:734 3128
16:31:37:734 3128 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
16:31:37:734 3128 UtilityDeinit: KLMD(ARK) unloaded successfully
-
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
- Select Start > All Programs > Accessories > System tools > System Restore.
- On the dialogue box that appears select Create a Restore Point
- Click NEXT
- Enter a name e.g. Clean
- Click CREATE
You now have a clean restore point, to get rid of the bad ones:
- Select Start > All Programs > Accessories > System tools > Disk Cleanup.
- In the Drop down box that appears select your main drive e.g. C
- Click OK
- The System will do some calculation and the display a dialogue box with TABS
- Select the More Options Tab.
- At the bottom will be a system restore box with a CLEANUP button click this
- Accept the Warning and select OK again, the program will close and you are done
To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe (http://oldtimer.geekstogo.com/OTC.exe) by OldTimer:
- Save it to your Desktop.
- Double click OTC.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
==
Please download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
==
Download Security Check by screen317 from SpywareInfoforum.org (http://screen317.spywareinfoforum.org/SecurityCheck.exe) or Changelog.fr (http://screen317.changelog.fr/SecurityCheck.exe).- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-
btw last night...I was recommended by a friend to use Kapersky online scanner...it said I only had 1 threat C:\Documents and Settings\tony\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1 "
so i went thru all my files in outlook and deleted them.....will that be sufficient?
did everthing you asked and here is the request:
Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
CCleaner
Wise Disk Cleaner 4.84
Wise Registry Cleaner 4 Free 4.92
Java(TM) 6 Update 17
Adobe Flash Player 10
Adobe Reader 7.0
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
-
It should be fine.
Please download the newest version of Adobe Acrobat Reader from Adobe.com (http://www.adobe.com/products/acrobat/readstep2.html)
Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.
Once old versions are gone, please install the newest version.
==
Please download the newest version of Java from Java.com (http://www.java.com/en/download/manual.jsp).
Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.
Once old versions are gone, please install the newest version.
==
Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.
Software recommendations
Firewall- Tallemu Online Armor (http://www.tallemu.com/products-online-armor-free.php): the free version is just as good as the premium. I have linked you to the free version.
- Comodo Firewall (http://www.comodo.com/home/internet-security/firewall.php): the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
- PC Tools Firewall Plus (http://www.pctools.com/firewall/download/): free and excellent firewall.
AntiSpyware- SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here (http://www.bleepingcomputer.com/tutorials/tutorial49.html).
- Spybot - Search & Destroy (http://www.safer-networking.org/en/tutorial/index.html).
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.
Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.
Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm (http://www.spywarewarrior.com/rogue_anti-spyware.htm)
Securing your computer- Windows Updates (http://update.microsoft.com) - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
- hpHosts file (http://hosts-file.net) replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.
If you are interested:
- Firefox may be downloaded from here: http://www.getfirefox.com (http://www.getfirefox.com)
- Opera is available here: http://www.opera.com/download/ (http://www.opera.com/download/)
See this page (http://www.geekpolice.net/computer-security-f27/preventing-malware-and-being-resistant-to-the-dangers-of-the-internet-t16961.htm) for more info about malware and prevention.
-
Jay
thank you so much for all your help and suggestions!