1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Unable to access Mcafee website and install security software

Discussion in 'Malware and Virus Removal Archive' started by tanmayroy, 2010/01/21.

  1. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    [Active] Unable to access Mcafee website and install security software

    I am trying to run the mcafee setup on my laptop. But I run into "internet unavailable" even when internet connection is up.Also I have seen this kind of behaviour when I try to access any microsoft related sites. My main concern is , how do I get rid of any of the spyware that is blocking me to access this security related websites.

    DDS.txt

    DDS (Ver_09-12-01.01) - NTFSx86
    Run by user at 10:25:35.18 on Fri 01/15/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.7 [GMT 5.5:30]

    AV: Quick Heal 9.50 *On-access scanning disabled* (Outdated) {05C1329D-F0E0-4B19-9D15-54F9BC3ADE87}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROXY.EXE
    C:\PROGRA~1\QUICKH~1\QUICKH~1\quhlpsvc.exe
    C:\PROGRA~1\QUICKH~1\QUICKH~1\scanwscs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\RTHDCPL.EXE
    C:\PROGRA~1\QUICKH~1\QUICKH~1\EMLPROUI.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Google\Google Talk\googletalk.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Belkin\F5D8053v4\BelkinWCUI.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\O3OZ06A8\dds[1].scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com
    uSearch Page = hxxp://www.google.com
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
    mSearchAssistant = hxxp://www.google.com
    uURLSearchHooks: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSof1.dll
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Softonic English Toolbar: {930f1200-f5f1-4870-bac6-e233ec8e7023} - c:\program files\softonic_english\tbSof1.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\program files\yahoo!\companion\installs\cpn\yt.dll
    uRun: [Messenger (Yahoo!)] "d:\messengers\YahooMessenger.exe" -quiet
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Email Protection] c:\progra~1\quickh~1\quickh~1\EMLPROUI.EXE
    mRun: [On-Line Protection] c:\progra~1\quickh~1\quickh~1\CATEYE.EXE
    mRun: [Messenger] c:\progra~1\quickh~1\quickh~1\SCANMSG.EXE
    mRun: [Startup Scan] c:\progra~1\quickh~1\quickh~1\Sensor.EXE /LOADRUN
    mRun: [VTTimer] VTTimer.exe
    mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
    mRun: [braviax] braviax.exe
    mRunOnce: [Startup Scan] c:\progra~1\quickh~1\quickh~1\Sensor.EXE /check
    dRunOnce: [RunNarrator] Narrator.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d8053v4\BelkinWCUI.exe
    uPolicies-explorer: StartMenuLogOff = 1 (0x1)
    uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    dPolicies-explorer: StartMenuLogOff = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
    IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - d:\messen~1\YPager.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
    Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    AppInit_DLLs: cru629.dat

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\iezfruc5.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=59033&p=
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\iezfruc5.default\extensions\{75ac016f-ff3f-486c-9f98-36637223a8e1}\components\Engine.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

    ============= SERVICES / DRIVERS ===============

    R0 ScreenNT;ScreenNT;c:\windows\system32\drivers\SCREENNT.SYS [2009-1-18 19960]
    R2 EMLSS;EMLSS;c:\windows\system32\drivers\EMLTDI.SYS [2009-1-18 12160]
    R2 OnlineNT;OnlineNT;c:\progra~1\quickh~1\quickh~1\ONLINENT.SYS [2009-1-18 39672]
    R3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2008-10-17 532480]
    S2 cuzdegay;Windows Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
    S2 ftivbrfir;Time Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
    S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2009-9-29 517632]

    =============== Created Last 30 ================

    2009-12-24 01:48:37 0 d-sh--w- c:\documents and settings\user\PrivacIE
    2009-12-24 01:47:40 0 d-sh--w- c:\documents and settings\user\IETldCache
    2009-12-24 01:42:56 0 dc-h--w- c:\windows\ie8
    2009-12-24 01:42:28 0 d--h--w- c:\windows\msdownld.tmp
    2009-12-19 01:22:03 0 d-----w- c:\program files\common files\DivX Shared
    2009-12-19 01:22:02 0 d-----w- c:\program files\DivX

    ==================== Find3M ====================

    2010-01-12 15:28:55 6144 ----a-w- c:\windows\system32\cru629.dat
    2010-01-12 15:28:55 6144 ----a-w- c:\windows\cru629.dat
    2010-01-12 15:28:55 11264 ----a-w- c:\windows\system32\braviax.exe
    2009-10-03 00:36:48 18174 ----a-w- c:\program files\common files\yrulasyvi.exe
    2009-10-03 00:36:48 12880 ----a-w- c:\program files\common files\ozafulinox.sys
    2009-09-28 23:15:37 18308 ----a-w- c:\program files\common files\uhylotu.db
    2009-09-28 23:15:37 17546 ----a-w- c:\program files\common files\ejirawojal.bin
    2009-09-28 23:15:37 15781 ----a-w- c:\program files\common files\rixysag.vbs
    2009-09-28 23:15:37 13197 ----a-w- c:\program files\common files\wywat._dl
    2009-09-28 23:15:37 12008 ----a-w- c:\program files\common files\moton.dat
    2009-09-25 20:00:20 15614 ----a-w- c:\program files\common files\lodikiqob.com
    2009-09-23 17:19:40 17513 ----a-w- c:\program files\common files\ipad._sy
    2009-09-22 13:44:35 15737 ----a-w- c:\program files\common files\upihe.lib
    2009-09-22 13:44:35 15580 ----a-w- c:\program files\common files\ulimixit.db
    2009-09-21 14:47:14 19869 ----a-w- c:\program files\common files\idylalimi._sy
    2009-09-21 14:47:14 19621 ----a-w- c:\program files\common files\usad.sys
    2009-09-21 14:47:14 14092 ----a-w- c:\program files\common files\olec._sy
    2009-09-18 15:33:49 19571 ----a-w- c:\program files\common files\vohyzitot.bat
    2009-09-18 15:33:49 14860 ----a-w- c:\program files\common files\xefaf.bat
    2009-09-18 15:33:49 14493 ----a-w- c:\program files\common files\ifyw.reg
    2009-09-18 15:33:49 13465 ----a-w- c:\program files\common files\zaboxidoj.ban
    2009-09-18 15:33:49 13294 ----a-w- c:\program files\common files\ejyveti.bat
    2009-09-17 14:55:33 12927 ----a-w- c:\program files\common files\iliroxuw.pif
    2009-09-17 14:55:33 11000 ----a-w- c:\program files\common files\uwaxenos.exe
    2009-09-16 18:03:13 19307 ----a-w- c:\program files\common files\cypuk.exe
    2009-09-16 18:03:13 17093 ----a-w- c:\program files\common files\ysucupul.dat
    2009-09-16 18:03:13 16689 ----a-w- c:\program files\common files\kepiv.lib
    2009-09-16 18:03:13 11818 ----a-w- c:\program files\common files\zugibecoh.com
    2009-09-16 18:03:13 11046 ----a-w- c:\program files\common files\tufel.dl
    2009-09-16 12:39:58 18704 ----a-w- c:\program files\common files\fudo.exe
    2009-09-16 12:39:58 14724 ----a-w- c:\program files\common files\ocapubejun.vbs
    2009-09-16 12:39:58 13136 ----a-w- c:\program files\common files\equqosygo.scr
    2009-09-12 13:27:59 11384 ----a-w- c:\program files\common files\pohuqyneda.dl
    2009-09-11 19:27:02 13384 ----a-w- c:\program files\common files\qaruko._dl
    2009-09-11 19:27:02 12712 ----a-w- c:\program files\common files\vinajomeli.exe
    2009-09-11 13:41:25 15479 ----a-w- c:\program files\common files\jogo.reg
    2009-09-11 13:41:25 12136 ----a-w- c:\program files\common files\misyfujihe.lib
    2009-09-11 13:41:25 11438 ----a-w- c:\program files\common files\yfax._dl
    2009-09-02 17:43:56 19209 ----a-w- c:\program files\common files\unisyqy.reg
    2009-09-02 17:43:56 15369 ----a-w- c:\program files\common files\isipetawy.dll
    2009-08-25 12:05:30 15214 ----a-w- c:\program files\common files\ivucabajib.reg
    2009-08-25 12:05:30 10842 ----a-w- c:\program files\common files\azumul.reg
    2009-08-25 12:05:30 10286 ----a-w- c:\program files\common files\ybotudosac.sys
    2009-08-24 15:10:17 18754 ----a-w- c:\program files\common files\vebyrero.scr
    2009-08-24 15:10:17 18591 ----a-w- c:\program files\common files\wawop.lib
    2009-08-24 15:10:17 16605 ----a-w- c:\program files\common files\levinoqove.com
    2009-08-24 15:10:17 11601 ----a-w- c:\program files\common files\ikuc.exe
    2009-08-24 15:10:17 11292 ----a-w- c:\program files\common files\baneme.dl
    2009-08-24 15:10:17 11020 ----a-w- c:\program files\common files\owuqasi._dl
    2009-08-14 11:17:16 17988 ----a-w- c:\program files\common files\paveqyf.vbs
    2009-08-14 11:17:16 17332 ----a-w- c:\program files\common files\uderojyrog.bat
    2009-08-14 11:17:16 12996 ----a-w- c:\program files\common files\adyvic.com
    2004-08-03 22:56:44 160600 --sha-r- c:\windows\system32\gitntiep.dll
    2004-08-03 22:56:44 14744064 --sh--w- c:\windows\system32\icm64.dll

    ============= FINISH: 10:26:13.46 ===============

    Attach.txt


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_09-12-01.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/18/2009 10:22:49 PM
    System Uptime: 1/12/2010 8:58:32 PM (62 hours ago)

    Motherboard: HCL Infosystems Limited | | Notebook PC
    Processor: Intel(R) Celeron(R) M CPU 440 @ 1.86GHz | mPGA 479m | 1862/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 39 GiB total, 19.18 GiB free.
    D: is FIXED (NTFS) - 35 GiB total, 19.319 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: System Interrupt Controller
    Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&61AAA01&0&05
    Manufacturer:
    Name: System Interrupt Controller
    PNP Device ID: PCI\VEN_1106&DEV_5364&SUBSYS_00000000&REV_00\3&61AAA01&0&05
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: 802.11 bg WLAN
    Device ID: USB\VID_148F&PID_2573\5&3F45F29&0&5
    Manufacturer:
    Name: 802.11 bg WLAN
    PNP Device ID: USB\VID_148F&PID_2573\5&3F45F29&0&5
    Service:

    Class GUID:
    Description: Modem Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_14F10000&REV_1000\5&2F010DBF&0&0102
    Manufacturer:
    Name: Modem Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_14F10000&REV_1000\5&2F010DBF&0&0102
    Service:

    ==== System Restore Points ===================

    RP111: 10/17/2009 8:43:11 PM - System Checkpoint
    RP112: 10/18/2009 9:11:07 PM - System Checkpoint
    RP113: 10/20/2009 5:37:25 AM - System Checkpoint
    RP114: 10/21/2009 5:42:47 AM - System Checkpoint
    RP115: 10/22/2009 6:02:58 AM - System Checkpoint
    RP116: 10/23/2009 6:17:42 AM - System Checkpoint
    RP117: 10/24/2009 9:39:48 PM - System Checkpoint
    RP118: 10/25/2009 10:08:11 PM - System Checkpoint
    RP119: 10/27/2009 5:48:32 AM - System Checkpoint
    RP120: 10/28/2009 8:24:09 AM - System Checkpoint
    RP121: 10/31/2009 10:21:01 PM - System Checkpoint
    RP122: 11/1/2009 11:18:09 PM - System Checkpoint
    RP123: 11/3/2009 8:59:03 AM - System Checkpoint
    RP124: 11/5/2009 8:45:02 AM - System Checkpoint
    RP125: 11/6/2009 7:14:45 AM - Removed Apple Mobile Device Support
    RP126: 11/8/2009 12:01:18 AM - System Checkpoint
    RP127: 11/11/2009 8:39:12 AM - System Checkpoint
    RP128: 11/12/2009 8:51:45 AM - System Checkpoint
    RP129: 11/14/2009 6:27:59 AM - System Checkpoint
    RP130: 11/15/2009 7:15:38 AM - System Checkpoint
    RP131: 11/18/2009 8:23:54 AM - System Checkpoint
    RP132: 11/20/2009 8:50:47 AM - System Checkpoint
    RP133: 11/22/2009 12:30:28 AM - System Checkpoint
    RP134: 11/23/2009 12:31:30 AM - System Checkpoint
    RP135: 11/25/2009 9:02:02 AM - System Checkpoint
    RP136: 12/2/2009 8:59:27 AM - System Checkpoint
    RP137: 12/4/2009 9:09:15 AM - System Checkpoint
    RP138: 12/7/2009 12:49:52 AM - System Checkpoint
    RP139: 12/8/2009 9:38:17 AM - System Checkpoint
    RP140: 12/9/2009 10:10:58 AM - System Checkpoint
    RP141: 12/10/2009 10:29:27 AM - System Checkpoint
    RP142: 12/12/2009 11:30:26 PM - System Checkpoint
    RP143: 12/13/2009 11:37:15 PM - System Checkpoint
    RP144: 12/15/2009 8:47:29 AM - System Checkpoint
    RP145: 12/18/2009 1:01:30 AM - System Checkpoint
    RP146: 12/19/2009 1:15:43 AM - System Checkpoint
    RP147: 12/20/2009 1:31:16 AM - System Checkpoint
    RP148: 12/21/2009 2:21:59 AM - System Checkpoint
    RP149: 12/22/2009 3:20:54 AM - System Checkpoint
    RP150: 12/23/2009 3:28:03 AM - System Checkpoint
    RP151: 12/24/2009 4:26:58 AM - System Checkpoint
    RP152: 12/24/2009 7:13:58 AM - Installed Windows Internet Explorer 8.
    RP153: 12/25/2009 11:36:15 PM - System Checkpoint
    RP154: 12/26/2009 11:48:30 PM - System Checkpoint
    RP155: 12/28/2009 12:12:24 AM - System Checkpoint
    RP156: 12/30/2009 7:34:43 AM - System Checkpoint
    RP157: 12/31/2009 8:12:43 AM - System Checkpoint
    RP158: 1/1/2010 8:23:10 AM - System Checkpoint
    RP159: 1/2/2010 9:02:44 AM - System Checkpoint
    RP160: 1/3/2010 9:43:37 AM - System Checkpoint
    RP161: 1/5/2010 7:59:04 AM - System Checkpoint
    RP162: 1/6/2010 8:18:58 AM - System Checkpoint
    RP163: 1/8/2010 12:02:06 AM - System Checkpoint
    RP164: 1/9/2010 6:56:05 AM - System Checkpoint
    RP165: 1/11/2010 11:45:52 PM - System Checkpoint
    RP166: 1/13/2010 1:56:49 AM - System Checkpoint
    RP167: 1/14/2010 2:02:39 AM - System Checkpoint
    RP168: 1/15/2010 6:11:42 AM - System Checkpoint

    ==== Installed Programs ======================

    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1
    Advertisement Service
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Belkin N Wireless USB Adapter Setup
    Bonjour
    Counter-Strike 1.6
    DivX Plus Web Player
    DVD Suite
    EA SPORTS online 2007
    FIFA 07
    Google Talk (remove only)
    Guitar Pro 5.2
    High Definition Audio Driver Package - KB888111
    iTunes
    Microsoft Office XP Professional with FrontPage
    Microsoft Visual C++ 2005 Redistributable
    MobileMe Control Panel
    Mozilla Firefox (3.0.16)
    MySQL Server 5.0
    Nero 7 Essentials
    neroxml
    Platform
    PowerDVD
    Quick Heal AntiVirus Plus
    QuickTime
    Realtek AC'97 Audio
    Realtek High Definition Audio Driver
    Skype web features
    Skypeâ„¢ 4.1
    Softonic_English Toolbar
    VC80CRTRedist - 8.0.50727.4053
    VIA Chrome9 HC IGP Family Display 6.14.10.0164
    VIA Platform Device Manager
    VLC media player 0.9.8a
    WebFldrs XP
    Windows Internet Explorer 8
    Windows Media Format Runtime
    WinRAR archiver
    Yahoo! Messenger
    Yahoo! Toolbar

    ==== Event Viewer Messages From Past Week ========

    1/9/2010 6:23:37 AM, error: Service Control Manager [7023] - The Windows Microsoft service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
    1/9/2010 6:23:37 AM, error: Service Control Manager [7023] - The Time Microsoft service terminated with the following error: A dynamic link library (DLL) initialization routine failed.
    1/9/2010 6:23:37 AM, error: Service Control Manager [7023] - The Network Manager service terminated with the following error: A dynamic link library (DLL) initialization routine failed.

    ==== End Of File ===========================
     
    tanmayroy,
    #1
  2. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.


    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    • Please, never rename Combofix unless instructed.
    • Close any open browsers.
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE 1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    • Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!


    Download HijackThis:
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
    by clicking on Installer under Version 2.0.2
    [DO NOT download version 2.0.3 (beta)]
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    I am unable to access the link to download the software.the link that says 'here or here'.neighter one opens
     
    tanmayroy,
    #3
  5. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    See, if you can download it from HERE
     
    broni,
    #4
  6. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    was able to download it, but not able to run the exe.
     
    tanmayroy,
    #5
  7. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    What does EXACTLY happen?
     
    broni,
    #6
  8. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    A)I tried to save the exe file and run it, nothing really happens.
    1) double clicking on the exe
    2) Run as (with administrator rights)

    B)Secondly if I directly run it from the site, the response is the same (nothing really happens)
     
    tanmayroy,
    #7
  9. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Rename combofix.exe to combofix.com and try again.
     
    broni,
    #8
  10. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    No Luck, what could be the problem ?
     
    tanmayroy,
    #9
  11. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We don't know yet, but we'll get there :)

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    * Rkill.com
    * Rkill.scr
    * Rkill.pif
    * Rkill.exe

    * Double-click on the Rkill desktop icon to run the tool.
    * If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    * A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    * If not, delete the file, then download and use the one provided in Link 2.
    * If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    * Do not reboot until instructed.
    * If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run then try to immediately run the following.

    Now download and Run exeHelper.

    * Please download exeHelper from Raktor to your desktop.
    * Double-click on exeHelper.com to run the fix.
    * A black window should pop up, press any key to close once the fix is completed.
    * A log file named log.txt will be created in the directory where you ran exeHelper.com
    * Attach the log.txt file to your next message.[/LIST]

    Note: If the window shows a message that says "Error deleting file ", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

    Try to run Combofix again.
     
    broni,
    #10
  12. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    Worked as instructed, log follows :-
    exeHelper by Raktor
    Build 20091220
    Run at 04:12:26 on 01/22/10
    Now searching...
    Checking for numerical processes...
    Checking for sysguard processes...
    Checking for bad processes...
    Checking for bad files...
    Deleting file C:\WINDOWS\system32\braviax.exe
    Error deleting C:\WINDOWS\system32\braviax.exe - Set for removal on reboot - PLEASE REBOOT
    Deleting file C:\WINDOWS\braviax.exe
    Deleting file C:\WINDOWS\system32\cru629.dat
    Deleting file C:\WINDOWS\cru629.dat
    Checking for bad registry entries...
    Removing HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
    Resetting filetype association for .exe
    Resetting filetype association for .com
    Resetting userinit and shell values...
    Resetting policies...
    --Finished--
     
    tanmayroy,
    #11
  13. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    Unable to run combofix even after repeating the earlier steps
     
    tanmayroy,
    #12
  14. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete your Combofix file.
    Download fresh one from HERE

    I renamed the file for a reason.
     
    broni,
    #13
  15. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    No luck again, it did show the splashscreen,a modal window where I had to accept the terms and condition,I agreed by clicking on yes,
    then it said that you cannot rename combofix like u've tried.
     
    tanmayroy,
    #14
  16. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download TDSSKiller and save it to your Desktop.
    Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
     
    broni,
    #15
  17. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    Grrrrr.....same problem ! Internet unavailable...
    Any mirrors ?
     
    tanmayroy,
    #16
  18. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    I face the same problem,Internet unavailable, grrrr
    any mirrors ?
     
    tanmayroy,
    #17
  19. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    File attached.
     

    Attached Files:

    broni,
    #18
  20. 2010/01/21
    tanmayroy

    tanmayroy Inactive Thread Starter

    Joined:
    2010/01/21
    Messages:
    11
    Likes Received:
    0
    08:27:38:703 0396 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
    08:27:38:703 0396 ================================================================================
    08:27:38:703 0396 SystemInfo:

    08:27:38:703 0396 OS Version: 5.1.2600 ServicePack: 2.0
    08:27:38:703 0396 Product type: Workstation
    08:27:38:703 0396 ComputerName: COMP
    08:27:38:718 0396 UserName: user
    08:27:38:718 0396 Windows directory: C:\WINDOWS
    08:27:38:718 0396 Processor architecture: Intel x86
    08:27:38:718 0396 Number of processors: 1
    08:27:38:718 0396 Page size: 0x1000
    08:27:38:718 0396 Boot type: Normal boot
    08:27:38:718 0396 ================================================================================
    08:27:38:796 0396 UnloadDriverW: NtUnloadDriver error 2
    08:27:38:796 0396 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
    08:27:38:796 0396 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    08:27:38:953 0396 UtilityInit: KLMD drop and load success
    08:27:38:953 0396 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
    08:27:38:953 0396 UtilityInit: KLMD open success
    08:27:38:953 0396 UtilityInit: Initialize success
    08:27:38:953 0396
    08:27:38:953 0396 Scanning Services ...
    08:27:38:953 0396 CreateRegParser: Registry parser init started
    08:27:38:953 0396 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
    08:27:38:953 0396 CreateRegParser: DisableWow64Redirection error
    08:27:38:953 0396 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
    08:27:38:953 0396 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
    08:27:38:953 0396 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    08:27:38:953 0396 wfopen_ex: Trying to KLMD file open
    08:27:38:953 0396 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
    08:27:38:953 0396 wfopen_ex: File opened ok (Flags 2)
    08:27:38:953 0396 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 9C4B00
    08:27:38:953 0396 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
    08:27:38:953 0396 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
    08:27:38:953 0396 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
    08:27:38:953 0396 wfopen_ex: Trying to KLMD file open
    08:27:38:953 0396 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
    08:27:38:953 0396 wfopen_ex: File opened ok (Flags 2)
    08:27:38:953 0396 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 9C49F0
    08:27:38:953 0396 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
    08:27:38:953 0396 CreateRegParser: EnableWow64Redirection error
    08:27:38:953 0396 CreateRegParser: RegParser init completed
    08:27:39:500 0396 GetAdvancedServicesInfo: Raw services enum returned 295 services
    08:27:39:500 0396 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
    08:27:39:500 0396 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
    08:27:39:500 0396
    08:27:39:500 0396 Scanning Kernel memory ...
    08:27:39:500 0396 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    08:27:39:500 0396 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84DD2A20
    08:27:39:500 0396 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
    08:27:39:500 0396
    08:27:39:500 0396 DetectCureTDL3: DEVICE_OBJECT: 84C65C68
    08:27:39:500 0396 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84C65C68
    08:27:39:500 0396 KLMD_ReadMem: Trying to ReadMemory 0x84C65C68[0x38]
    08:27:39:500 0396 DetectCureTDL3: DRIVER_OBJECT: 84DD2A20
    08:27:39:500 0396 KLMD_ReadMem: Trying to ReadMemory 0x84DD2A20[0xA8]
    08:27:39:500 0396 KLMD_ReadMem: Trying to ReadMemory 0xE17B0EF0[0x18]
    08:27:39:500 0396 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (0) addr: F7564C30
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (1) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (2) addr: F7564C30
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (3) addr: F755ED9B
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (4) addr: F755ED9B
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (5) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (6) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (7) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (8) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (9) addr: F755F366
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (10) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (11) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (12) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (13) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (14) addr: F755F44D
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (15) addr: F7562FC3
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (16) addr: F755F366
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (17) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (18) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (19) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (20) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (21) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (22) addr: F7560EF3
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (23) addr: F7565A24
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (24) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (25) addr: 804F320E
    08:27:39:500 0396 DetectCureTDL3: IrpHandler (26) addr: 804F320E
    08:27:39:500 0396 TDL3_FileDetect: Processing driver: Disk
    08:27:39:500 0396 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    08:27:39:500 0396 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    08:27:39:546 0396 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    08:27:39:546 0396
    08:27:39:546 0396 DetectCureTDL3: DEVICE_OBJECT: 84C65030
    08:27:39:546 0396 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84C65030
    08:27:39:546 0396 KLMD_ReadMem: Trying to ReadMemory 0x84C65030[0x38]
    08:27:39:546 0396 DetectCureTDL3: DRIVER_OBJECT: 84DD2A20
    08:27:39:546 0396 KLMD_ReadMem: Trying to ReadMemory 0x84DD2A20[0xA8]
    08:27:39:546 0396 KLMD_ReadMem: Trying to ReadMemory 0xE17B0EF0[0x18]
    08:27:39:546 0396 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (0) addr: F7564C30
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (1) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (2) addr: F7564C30
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (3) addr: F755ED9B
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (4) addr: F755ED9B
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (5) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (6) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (7) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (8) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (9) addr: F755F366
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (10) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (11) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (12) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (13) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (14) addr: F755F44D
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (15) addr: F7562FC3
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (16) addr: F755F366
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (17) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (18) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (19) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (20) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (21) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (22) addr: F7560EF3
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (23) addr: F7565A24
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (24) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (25) addr: 804F320E
    08:27:39:546 0396 DetectCureTDL3: IrpHandler (26) addr: 804F320E
    08:27:39:546 0396 TDL3_FileDetect: Processing driver: Disk
    08:27:39:546 0396 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
    08:27:39:546 0396 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
    08:27:39:562 0396 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
    08:27:39:562 0396
    08:27:39:562 0396 DetectCureTDL3: DEVICE_OBJECT: 84DD1920
    08:27:39:562 0396 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84DD1920
    08:27:39:562 0396 DetectCureTDL3: DEVICE_OBJECT: 84CCFA38
    08:27:39:562 0396 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84CCFA38
    08:27:39:562 0396 KLMD_ReadMem: Trying to ReadMemory 0x84CCFA38[0x38]
    08:27:39:562 0396 DetectCureTDL3: DRIVER_OBJECT: 84CBE268
    08:27:39:562 0396 KLMD_ReadMem: Trying to ReadMemory 0x84CBE268[0xA8]
    08:27:39:562 0396 KLMD_ReadMem: Trying to ReadMemory 0xE17B3F90[0x1A]
    08:27:39:562 0396 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (0) addr: F738B572
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (1) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (2) addr: F738B572
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (3) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (4) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (5) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (6) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (7) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (8) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (9) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (10) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (11) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (12) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (13) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (14) addr: F738B592
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (15) addr: F73877B4
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (16) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (17) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (18) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (19) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (20) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (21) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (22) addr: F738B5BC
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (23) addr: F7392164
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (24) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (25) addr: 804F320E
    08:27:39:562 0396 DetectCureTDL3: IrpHandler (26) addr: 804F320E
    08:27:39:562 0396 KLMD_ReadMem: Trying to ReadMemory 0xF73887C6[0x400]
    08:27:39:562 0396 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
    08:27:39:562 0396 TDL3_FileDetect: Processing driver: atapi
    08:27:39:562 0396 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
    08:27:39:562 0396 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
    08:27:39:593 0396 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
    08:27:39:593 0396
    08:27:39:593 0396 Completed
    08:27:39:593 0396
    08:27:39:593 0396 Results:
    08:27:39:593 0396 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
    08:27:39:593 0396 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
    08:27:39:593 0396 File objects infected / cured / cured on reboot: 0 / 0 / 0
    08:27:39:593 0396
    08:27:39:593 0396 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
    08:27:39:593 0396 UtilityDeinit: KLMD(ARK) unloaded successfully


    Hope this helps
     
    tanmayroy,
    #19
  21. 2010/01/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Try to run Combofix again.
    If normal mode doesn't work, try Safe Mode.
     
    broni,
    #20

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...