[Rorschach112]

hi

Please download Dr.Web CureIt . Save it to your desktop:

• Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in the pop-up window to allow the scan.
• This will scan the files currently running in memory and if something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, select Complete scan.
• Click the green arrow at the right, and the scan will start.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, in the menu, click File and choose Save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Note:this report may need to be renamed to Dr.Web.txt in order to post it on the forum.
• Please post the Dr.Web.txt report in your next reply
• Close Dr.Web Cureit.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on the X in the upper right corner.

[Advertisements]

Hey there, below is the results of my complete DrWeb scan. Still too soon for me to tell if it killed the problem.

Thanks,

Dean


DesktopDoctor.msi/stream000\file_pf_388;C:\Program Files\support.com\temp\DesktopDoctor.msi/stream000;Probably DLOADER.Trojan;;
DesktopDoctor.msi/stream000\file_pf_391;C:\Program Files\support.com\temp\DesktopDoctor.msi/stream000;Probably DLOADER.Trojan;;
stream000;C:\Program Files\support.com\temp;Archive contains infected objects;;
DesktopDoctor.msi;C:\Program Files\support.com\temp;Archive contains infected objects;Moved.;
8257a9.msi/stream000\file_pf_388;C:\Windows\Installer\8257a9.msi/stream000;Probably DLOADER.Trojan;;
8257a9.msi/stream000\file_pf_391;C:\Windows\Installer\8257a9.msi/stream000;Probably DLOADER.Trojan;;
stream000;C:\Windows\Installer;Archive contains infected objects;;
8257a9.msi;C:\Windows\Installer;Archive contains infected objects;Moved.;

[Stan228]

Hey there, below is the results of my complete DrWeb scan. Still too soon for me to tell if it killed the problem.

Thanks,

Dean


DesktopDoctor.msi/stream000\file_pf_388;C:\Program Files\support.com\temp\DesktopDoctor.msi/stream000;Probably DLOADER.Trojan;;
DesktopDoctor.msi/stream000\file_pf_391;C:\Program Files\support.com\temp\DesktopDoctor.msi/stream000;Probably DLOADER.Trojan;;
stream000;C:\Program Files\support.com\temp;Archive contains infected objects;;
DesktopDoctor.msi;C:\Program Files\support.com\temp;Archive contains infected objects;Moved.;
8257a9.msi/stream000\file_pf_388;C:\Windows\Installer\8257a9.msi/stream000;Probably DLOADER.Trojan;;
8257a9.msi/stream000\file_pf_391;C:\Windows\Installer\8257a9.msi/stream000;Probably DLOADER.Trojan;;
stream000;C:\Windows\Installer;Archive contains infected objects;;
8257a9.msi;C:\Windows\Installer;Archive contains infected objects;Moved.;

[Stan228]

All seems to be well now. No redirect yet, no fake svchosts in quarantine, and CPU levels seem to have returned to normal. Crossing my fingers that nothing reappears. Did you see anything in that scan that seems like the culprit?


Thanks for all your help and quick responses. Very much appreciated


Happy Holidays!


Best,

Dean

[Rorschach112]

can you try run GMER again

and do this

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

[Stan228]

Yeah, will do that now. Funny you just posted this, my google results got hijacked again about 5 minutes ago. It seems like the fake svchost part is dead, since cpu levels seem normal -- but something is still there.


Will reply soon.

[Stan228]

GMER worked this time. Here is the log:

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-15 04:46:33
Windows 6.1.7600
Running: svchost.com.exe; Driver: C:\Users\DEANWA~1\AppData\Local\Temp\awlyifod.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832403F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83228634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83228898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832401DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832406F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832411A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E59579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\drivers\jykovhsx.sys The system cannot find the path specified. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x91231320, 0x3F5147, 0xE8000020]
.text peauth.sys 9DE93C9D 28 Bytes [C4, 98, 01, 1C, 33, 64, 26, ...]
.text peauth.sys 9DE93CC1 28 Bytes [C4, 98, 01, 1C, 33, 64, 26, ...]
PAGE peauth.sys 9DE99B9B 72 Bytes [09, 8D, B1, CF, 6B, E2, 35, ...]
PAGE peauth.sys 9DE99BEC 83 Bytes [D9, 60, 78, A9, A4, 6F, DB, ...]
PAGE peauth.sys 9DE99C40 27 Bytes JMP 16A28CC6
PAGE ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

•  GMER.txt   11.42KB   157 downloads

[Stan228]

Here are the results of the MBAM quick scan:

Malwarebytes' Anti-Malware 1.42
Database version: 3363
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

12/15/2009 5:02:35 AM
mbam-log-2009-12-15 (05-02-35).txt

Scan type: Quick Scan
Objects scanned: 101516
Time elapsed: 5 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Rorschach112]

and kaspersky

[Stan228]

Here it is. Took a while to complete, and went to bed. Google redirect still occurring. It found some things that look serious in outlook (which I never use).

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, December 15, 2009
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, December 15, 2009 12:55:52
Records in database: 3374747
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 146871
Threats found: 2
Infected objects found: 1
Suspicious objects found: 2
Scan duration: 02:15:38


File name / Threat / Threats count
C:\Users\Dean Wallace\AppData\Local\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Users\Dean Wallace\AppData\Local\Microsoft\Outlook\Outlook.pst Infected: Email-Worm.Win32.Zhelatin.a 1

Selected area has been scanned.

[Rorschach112]

hi

• Download TDSSKiller and save it to your Desktop.
• Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
• Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.
  
  "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  
  
• If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
• When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

[Stan228]

Host Name: DEANWALLACE-PC
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Dean Wallace
Registered Organization:
Product ID: 00426-292-1324524-85440
Original Install Date: 10/7/2009, 10:30:14 PM
System Boot Time: 12/15/2009, 5:21:32 AM
System Manufacturer: Dell Inc.
System Model: XPS M1530
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 15 Stepping 13 GenuineIntel ~1667 Mhz
BIOS Version: Dell Inc. A09, 7/14/2008
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 3,070 MB
Available Physical Memory: 1,556 MB
Virtual Memory: Max Size: 6,138 MB
Virtual Memory: Available: 4,733 MB
Virtual Memory: In Use: 1,405 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\DEANWALLACE-PC
Hotfix(s): 11 Hotfix(s) Installed.
[01]: KB973525
[02]: KB973874
[03]: KB974332
[04]: KB974431
[05]: KB974455
[06]: KB974571
[07]: KB975364
[08]: KB975467
[09]: KB976098
[10]: KB976325
[11]: KB976749
Network Card(s): 3 NIC(s) Installed.
[01]: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Connection Name: Local Area Connection
Status: Media disconnected
[02]: Dell Wireless 1490 Dual Band WLAN Mini-Card
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.2.1
IP address(es)
[01]: 192.168.2.3
[02]: fe80::603f:4f85:d645:d9f8
[03]: Microsoft Virtual WiFi Miniport Adapter
Connection Name: Wireless Network Connection 2
Status: Media disconnected
16:51:48:719 1828 ForceUnloadDriver: NtUnloadDriver error 2
16:51:48:721 1828 ForceUnloadDriver: NtUnloadDriver error 2
16:51:48:722 1828 ForceUnloadDriver: NtUnloadDriver error 2
16:51:48:801 1828 main: Driver KLMD successfully dropped
16:51:48:833 1828 main: Driver KLMD successfully loaded
16:51:48:833 1828
Scanning Registry ...
16:51:48:834 1828 ScanServices: Searching service UACd.sys
16:51:48:834 1828 ScanServices: Open/Create key error 2
16:51:48:834 1828 ScanServices: Searching service TDSSserv.sys
16:51:48:834 1828 ScanServices: Open/Create key error 2
16:51:48:834 1828 ScanServices: Searching service gaopdxserv.sys
16:51:48:834 1828 ScanServices: Open/Create key error 2
16:51:48:834 1828 ScanServices: Searching service gxvxcserv.sys
16:51:48:834 1828 ScanServices: Open/Create key error 2
16:51:48:834 1828 ScanServices: Searching service MSIVXserv.sys
16:51:48:834 1828 ScanServices: Open/Create key error 2
16:51:48:838 1828 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 82E1D000
16:51:48:838 1828 UnhookRegistry: Kernel local addr: 1530000
16:51:48:838 1828 UnhookRegistry: KeServiceDescriptorTable addr: 16989C0
16:51:48:841 1828 UnhookRegistry: KiServiceTable addr: 159F6F0
16:51:48:841 1828 UnhookRegistry: NtEnumerateKey service number (local): 74
16:51:48:841 1828 UnhookRegistry: NtEnumerateKey local addr: 1795A2F
16:51:48:846 1828 KLMD_OpenDevice: Trying to open KLMD device
16:51:48:846 1828 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
16:51:48:846 1828 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
16:51:48:846 1828 KLMD_ReadMem: Trying to ReadMemory 0x82E5E2A5[0x4]
16:51:48:846 1828 UnhookRegistry: NtEnumerateKey service number (kernel): 74
16:51:48:846 1828 KLMD_ReadMem: Trying to ReadMemory 0x82E8C8C0[0x4]
16:51:48:846 1828 UnhookRegistry: NtEnumerateKey real addr: 83082A2F
16:51:48:846 1828 UnhookRegistry: NtEnumerateKey calc addr: 83082A2F
16:51:48:846 1828 UnhookRegistry: No SDT hooks found on NtEnumerateKey
16:51:48:846 1828 KLMD_ReadMem: Trying to ReadMemory 0x83082A2F[0xA]
16:51:48:846 1828 UnhookRegistry: No splicing found on NtEnumerateKey
16:51:48:850 1828
Scanning Kernel memory ...
16:51:48:851 1828 KLMD_OpenDevice: Trying to open KLMD device
16:51:48:851 1828 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
16:51:48:851 1828 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:51:48:851 1828 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 87097D18
16:51:48:851 1828 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
16:51:48:851 1828 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 87099720
16:51:48:851 1828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87099720
16:51:48:851 1828 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 862E3030
16:51:48:851 1828 KLMD_GetLowerDeviceObject: Trying to get lower device object for 862E3030
16:51:48:851 1828 KLMD_ReadMem: Trying to ReadMemory 0x862E3030[0x38]
16:51:48:851 1828 DetectCureTDL3: DRIVER_OBJECT addr: 862D8CC0
16:51:48:851 1828 KLMD_ReadMem: Trying to ReadMemory 0x862D8CC0[0xA8]
16:51:48:851 1828 KLMD_ReadMem: Trying to ReadMemory 0x8629D8C8[0x208]
16:51:48:851 1828 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
16:51:48:852 1828 DetectCureTDL3: IrpHandler (0) addr: 8B47E818
16:51:48:852 1828 DetectCureTDL3: IrpHandler (1) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (2) addr: 8B47E818
16:51:48:852 1828 DetectCureTDL3: IrpHandler (3) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (4) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (5) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (6) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (7) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (8) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (9) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (10) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (11) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (12) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (13) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (14) addr: 8B47C132
16:51:48:852 1828 DetectCureTDL3: IrpHandler (15) addr: 8B479918
16:51:48:852 1828 DetectCureTDL3: IrpHandler (16) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (17) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (18) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (19) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (20) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (21) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (22) addr: 8B475AB4
16:51:48:852 1828 DetectCureTDL3: IrpHandler (23) addr: 8B47507C
16:51:48:852 1828 DetectCureTDL3: IrpHandler (24) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (25) addr: 82ECE437
16:51:48:852 1828 DetectCureTDL3: IrpHandler (26) addr: 82ECE437
16:51:48:852 1828 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
16:51:48:853 1828 KLMD_ReadMem: DeviceIoControl error 1
16:51:48:853 1828 TDL3_StartIoHookDetect: Unable to get StartIo handler code
16:51:48:853 1828 TDL3_FileDetect: Processing driver: iaStor
16:51:48:853 1828 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\tsk_iastor.sys, C:\Windows\system32\Drivers\tsk_tsk_iastor.sys, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\tsk_tsk_iastor.sys
16:51:48:853 1828 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\tsk_iastor.sys
16:51:48:853 1828 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\tsk_iastor.sys
16:51:48:875 1828
Completed

Results:
16:51:48:875 1828 Infected objects in memory: 0
16:51:48:876 1828 Cured objects in memory: 0
16:51:48:876 1828 Infected objects on disk: 0
16:51:48:877 1828 Objects on disk cured on reboot: 0
16:51:48:877 1828 Objects on disk deleted on reboot: 0
16:51:48:878 1828 Registry nodes deleted on reboot: 0
16:51:48:878 1828

[Rorschach112]

still redirected ?

[Stan228]

unfortunately, yes. the other stuff is gone, but not redirect.

[Rorschach112]

hi

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_x86_neutral_9b7f21209ab560c7\iaStor.sys | C:\Windows\System32\drivers\iaStor.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

[Stan228]

This thing is set on remaining hidden :-/

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File move operation "C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_x86_neutral_9b7f21209ab560c7\iaStor.sys|C:\Windows\System32\drivers\iaStor.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.