Firefox/IE google and yahoo redirects

April 25, 2010 at 09:49:25
Specs: Windows XP
Hi guys, I recently started getting re-directs to spam sites when I try and click on search results. Also randomly, a website will pop up and open up a new tab. Please help. I've tried several programs, and nothing works. I have threat fire, malwarebytes, and adaware.

See More: Firefox/IE google and yahoo redirects

Report •

#1
April 25, 2010 at 10:03:17
Here is my DDS. I can attach the other file as a .zip if needed

DDS (Ver_10-03-17.01) - NTFSx86
Run by Valued Customer at 11:53:03.67 on Sun 04/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.60 [GMT -5:00]


============== Running Processes ===============

C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\TpShocks.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Hitachi Software Engineering\StarBoard Software\StarBoardControlBox.exe
C:\Program Files\Hitachi Software Engineering\StarBoard Software\StarBoardPrintListener.exe
C:\Program Files\Hitachi Software Engineering\StarBoard Driver\DGBoard.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hitachi Software Engineering\FX-DuoDriver\LSDRVA.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\wentxp.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Valued Customer\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe
mRun: [ControlCenter] "c:\program files\ibm fingerprint software\ctlcntr.exe" /startup
mRun: [TP4EX] tp4ex.exe
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ibmmessages] c:\program files\ibm\messages by ibm\\ibmmessages.exe
mRun: [IBMPRC] c:\ibmtools\utils\ibmprc.exe
mRun: [QCTRAY] c:\program files\thinkpad\connectutilities\QCTRAY.EXE
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~1\vptray.exe
mRun: [StarBoardCtrlBox] "c:\program files\hitachi software engineering\starboard software\StarBoardControlBox.exe"
mRun: [StarBoardPrintListener] "c:\program files\hitachi software engineering\starboard software\StarBoardPrintListener.exe" -t90000
mRun: [StarBoardDriver] "c:\program files\hitachi software engineering\starboard driver\DGBoard.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
StartupFolder: c:\docume~1\valued~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\starbo~1.lnk - c:\program files\hitachi software engineering\fx-duodriver\LSDRVA.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - c:\program files\lenovo\pkgmgr\\PkgMgr.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: myspace.com\www
Trusted Zone: www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: psfus - c:\program files\ibm fingerprint software\psfus.dll
Notify: QConGina - QConGina.dll
Notify: tphotkey - tphklock.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\valued~1\applic~1\mozilla\firefox\profiles\m97d68h5.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============


Report •

#2
April 25, 2010 at 10:31:51
Here is my TDS Kill file log:

12:12:42:562 2212 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
12:12:42:562 2212 ================================================================================
12:12:42:562 2212 SystemInfo:

12:12:42:562 2212 OS Version: 5.1.2600 ServicePack: 3.0
12:12:42:562 2212 Product type: Workstation
12:12:42:562 2212 ComputerName: IBM-2629197A77C
12:12:42:562 2212 UserName: Valued Customer
12:12:42:562 2212 Windows directory: C:\WINDOWS
12:12:42:562 2212 Processor architecture: Intel x86
12:12:42:562 2212 Number of processors: 1
12:12:42:562 2212 Page size: 0x1000
12:12:42:671 2212 Boot type: Normal boot
12:12:42:671 2212 ================================================================================
12:12:42:703 2212 UnloadDriverW: NtUnloadDriver error 2
12:12:42:703 2212 ForceUnloadDriverW: UnloadDriverW(klmd21) error 0
12:13:03:875 2212 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:13:03:875 2212 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:13:03:875 2212 wfopen_ex: Trying to KLMD file open
12:13:03:875 2212 wfopen_ex: File opened ok (Flags 2)
12:13:03:875 2212 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:13:03:875 2212 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:13:03:875 2212 wfopen_ex: Trying to KLMD file open
12:13:03:875 2212 wfopen_ex: File opened ok (Flags 2)
12:13:03:875 2212 Initialize success
12:13:03:875 2212
12:13:03:875 2212 Scanning Services ...
12:13:04:500 2212 Raw services enum returned 383 services
12:13:04:531 2212
12:13:04:531 2212 Scanning Kernel memory ...
12:13:04:531 2212 Devices to scan: 3
12:13:04:531 2212
12:13:04:531 2212 Driver Name: Disk
12:13:04:531 2212 IRP_MJ_CREATE : F860ABB0
12:13:04:531 2212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
12:13:04:531 2212 IRP_MJ_CLOSE : F860ABB0
12:13:04:531 2212 IRP_MJ_READ : F8604D1F
12:13:04:531 2212 IRP_MJ_WRITE : F8604D1F
12:13:04:531 2212 IRP_MJ_QUERY_INFORMATION : 804F355A
12:13:04:531 2212 IRP_MJ_SET_INFORMATION : 804F355A
12:13:04:531 2212 IRP_MJ_QUERY_EA : 804F355A
12:13:04:531 2212 IRP_MJ_SET_EA : 804F355A
12:13:04:531 2212 IRP_MJ_FLUSH_BUFFERS : F86052E2
12:13:04:531 2212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
12:13:04:531 2212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
12:13:04:531 2212 IRP_MJ_DIRECTORY_CONTROL : 804F355A
12:13:04:531 2212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
12:13:04:531 2212 IRP_MJ_DEVICE_CONTROL : F86053BB
12:13:04:531 2212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8608F28
12:13:04:531 2212 IRP_MJ_SHUTDOWN : F86052E2
12:13:04:531 2212 IRP_MJ_LOCK_CONTROL : 804F355A
12:13:04:531 2212 IRP_MJ_CLEANUP : 804F355A
12:13:04:531 2212 IRP_MJ_CREATE_MAILSLOT : 804F355A
12:13:04:531 2212 IRP_MJ_QUERY_SECURITY : 804F355A
12:13:04:531 2212 IRP_MJ_SET_SECURITY : 804F355A
12:13:04:531 2212 IRP_MJ_POWER : F8606C82
12:13:04:531 2212 IRP_MJ_SYSTEM_CONTROL : F860B99E
12:13:04:531 2212 IRP_MJ_DEVICE_CHANGE : 804F355A
12:13:04:531 2212 IRP_MJ_QUERY_QUOTA : 804F355A
12:13:04:531 2212 IRP_MJ_SET_QUOTA : 804F355A
12:13:04:593 2212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:13:04:593 2212
12:13:04:593 2212 Driver Name: Disk
12:13:04:593 2212 IRP_MJ_CREATE : F860ABB0
12:13:04:593 2212 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
12:13:04:593 2212 IRP_MJ_CLOSE : F860ABB0
12:13:04:593 2212 IRP_MJ_READ : F8604D1F
12:13:04:593 2212 IRP_MJ_WRITE : F8604D1F
12:13:04:593 2212 IRP_MJ_QUERY_INFORMATION : 804F355A
12:13:04:593 2212 IRP_MJ_SET_INFORMATION : 804F355A
12:13:04:593 2212 IRP_MJ_QUERY_EA : 804F355A
12:13:04:593 2212 IRP_MJ_SET_EA : 804F355A
12:13:04:593 2212 IRP_MJ_FLUSH_BUFFERS : F86052E2
12:13:04:593 2212 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
12:13:04:593 2212 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
12:13:04:593 2212 IRP_MJ_DIRECTORY_CONTROL : 804F355A
12:13:04:593 2212 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
12:13:04:593 2212 IRP_MJ_DEVICE_CONTROL : F86053BB
12:13:04:593 2212 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8608F28
12:13:04:593 2212 IRP_MJ_SHUTDOWN : F86052E2
12:13:04:593 2212 IRP_MJ_LOCK_CONTROL : 804F355A
12:13:04:593 2212 IRP_MJ_CLEANUP : 804F355A
12:13:04:593 2212 IRP_MJ_CREATE_MAILSLOT : 804F355A
12:13:04:593 2212 IRP_MJ_QUERY_SECURITY : 804F355A
12:13:04:593 2212 IRP_MJ_SET_SECURITY : 804F355A
12:13:04:593 2212 IRP_MJ_POWER : F8606C82
12:13:04:593 2212 IRP_MJ_SYSTEM_CONTROL : F860B99E
12:13:04:593 2212 IRP_MJ_DEVICE_CHANGE : 804F355A
12:13:04:593 2212 IRP_MJ_QUERY_QUOTA : 804F355A
12:13:04:593 2212 IRP_MJ_SET_QUOTA : 804F355A
12:13:04:625 2212 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
12:13:04:625 2212
12:13:04:625 2212 Driver Name: atapi
12:13:04:625 2212 IRP_MJ_CREATE : 82CB1AC8
12:13:04:625 2212 IRP_MJ_CREATE_NAMED_PIPE : 82CB1AC8
12:13:04:625 2212 IRP_MJ_CLOSE : 82CB1AC8
12:13:04:625 2212 IRP_MJ_READ : 82CB1AC8
12:13:04:625 2212 IRP_MJ_WRITE : 82CB1AC8
12:13:04:625 2212 IRP_MJ_QUERY_INFORMATION : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SET_INFORMATION : 82CB1AC8
12:13:04:625 2212 IRP_MJ_QUERY_EA : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SET_EA : 82CB1AC8
12:13:04:625 2212 IRP_MJ_FLUSH_BUFFERS : 82CB1AC8
12:13:04:625 2212 IRP_MJ_QUERY_VOLUME_INFORMATION : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SET_VOLUME_INFORMATION : 82CB1AC8
12:13:04:625 2212 IRP_MJ_DIRECTORY_CONTROL : 82CB1AC8
12:13:04:625 2212 IRP_MJ_FILE_SYSTEM_CONTROL : 82CB1AC8
12:13:04:625 2212 IRP_MJ_DEVICE_CONTROL : 82CB1AC8
12:13:04:625 2212 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SHUTDOWN : 82CB1AC8
12:13:04:625 2212 IRP_MJ_LOCK_CONTROL : 82CB1AC8
12:13:04:625 2212 IRP_MJ_CLEANUP : 82CB1AC8
12:13:04:625 2212 IRP_MJ_CREATE_MAILSLOT : 82CB1AC8
12:13:04:625 2212 IRP_MJ_QUERY_SECURITY : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SET_SECURITY : 82CB1AC8
12:13:04:625 2212 IRP_MJ_POWER : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SYSTEM_CONTROL : 82CB1AC8
12:13:04:625 2212 IRP_MJ_DEVICE_CHANGE : 82CB1AC8
12:13:04:625 2212 IRP_MJ_QUERY_QUOTA : 82CB1AC8
12:13:04:625 2212 IRP_MJ_SET_QUOTA : 82CB1AC8
12:13:04:625 2212 Driver "atapi" infected by TDSS rootkit!
12:13:04:625 2212 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
12:13:04:625 2212 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 12:13:04:625 2212 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
12:13:04:625 2212 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
12:13:05:250 2212 vfvi6
12:13:05:593 2212 !dsvbh1
12:13:08:031 2212 dsvbh2
12:13:08:046 2212 fdfb2
12:13:08:046 2212 Backup copy found, using it..
12:13:08:109 2212 will be cured on next reboot
12:13:08:109 2212 Reboot required for cure complete..
12:13:08:234 2212 Cure on reboot scheduled successfully
12:13:08:234 2212
12:13:08:234 2212 Completed
12:13:08:234 2212
12:13:08:234 2212 Results:
12:13:08:234 2212 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
12:13:08:234 2212 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:13:08:234 2212 File objects infected / cured / cured on reboot: 1 / 0 / 1
12:13:08:234 2212
12:13:08:234 2212 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:13:08:234 2212 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:13:08:234 2212 UnloadDriverW: NtUnloadDriver error 1
12:13:08:265 2212 KLMD(ARK) unloaded successfully


Report •

#3
April 25, 2010 at 14:10:45
Can someone help me please

Report •
Related Solutions


Ask Question