Start, Run, cmd, OK.
notepad TDSSKiller.2.2.4_18.02.2010_20.21.14_log.txt
Copy the text and paste it into a reply.
Ron
Browser Issues
Started by
butterrice
, Feb 10 2010 04:18 AM
#46
Posted 19 February 2010 - 06:13 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Start, Run, cmd, OK.
notepad TDSSKiller.2.2.4_18.02.2010_20.21.14_log.txt
Copy the text and paste it into a reply.
Ron
#47
Posted 19 February 2010 - 06:45 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
A prompt comes up that says "cannot find the TDSSKiller.2.2.4_18.02.2010_20.21.14.log.txt file. Do you want to create a new file?"
#48
Posted 19 February 2010 - 07:02 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Sorry. Left out the \
start, run, cmd, OK then:
notepad \TDSSKiller.2.2.4_18.02.2010_20.21.14_log.txt
start, run, cmd, OK then:
notepad \TDSSKiller.2.2.4_18.02.2010_20.21.14_log.txt
#49
Posted 19 February 2010 - 07:14 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
Got it:
20:21:14:015 0204 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
20:21:14:015 0204 ================================================================================
20:21:14:015 0204 SystemInfo:
20:21:14:015 0204 OS Version: 5.1.2600 ServicePack: 3.0
20:21:14:015 0204 Product type: Workstation
20:21:14:015 0204 ComputerName: ACER-CELERON-M
20:21:14:015 0204 UserName: Bea
20:21:14:015 0204 Windows directory: C:\WINDOWS
20:21:14:015 0204 Processor architecture: Intel x86
20:21:14:015 0204 Number of processors: 1
20:21:14:015 0204 Page size: 0x1000
20:21:14:015 0204 Boot type: Normal boot
20:21:14:015 0204 ================================================================================
20:21:14:046 0204 UnloadDriverW: NtUnloadDriver error 2
20:21:14:046 0204 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:21:14:078 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:21:14:187 0204 UtilityInit: KLMD drop and load success
20:21:14:187 0204 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
20:21:14:187 0204 UtilityInit: KLMD open success
20:21:14:187 0204 UtilityInit: Initialize success
20:21:14:187 0204
20:21:14:187 0204 Scanning Services ...
20:21:14:187 0204 CreateRegParser: Registry parser init started
20:21:14:187 0204 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
20:21:14:187 0204 CreateRegParser: DisableWow64Redirection error
20:21:14:187 0204 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:21:14:187 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
20:21:14:187 0204 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:14:187 0204 wfopen_ex: Trying to KLMD file open
20:21:14:187 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
20:21:14:187 0204 wfopen_ex: File opened ok (Flags 2)
20:21:14:187 0204 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 344B00
20:21:14:187 0204 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:21:14:187 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
20:21:14:187 0204 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:14:187 0204 wfopen_ex: Trying to KLMD file open
20:21:14:187 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
20:21:14:187 0204 wfopen_ex: File opened ok (Flags 2)
20:21:14:187 0204 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 344BA8
20:21:14:187 0204 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
20:21:14:187 0204 CreateRegParser: EnableWow64Redirection error
20:21:14:187 0204 CreateRegParser: RegParser init completed
20:21:14:703 0204 GetAdvancedServicesInfo: Raw services enum returned 366 services
20:21:14:718 0204 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:21:14:718 0204 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:21:14:718 0204
20:21:14:718 0204 Scanning Kernel memory ...
20:21:14:718 0204 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:21:14:718 0204 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82B36900
20:21:14:718 0204 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
20:21:14:718 0204
20:21:14:718 0204 DetectCureTDL3: DEVICE_OBJECT: 82BCFC68
20:21:14:718 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BCFC68
20:21:14:718 0204 KLMD_ReadMem: Trying to ReadMemory 0x82BCFC68[0x38]
20:21:14:718 0204 DetectCureTDL3: DRIVER_OBJECT: 82B36900
20:21:14:718 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B36900[0xA8]
20:21:14:718 0204 KLMD_ReadMem: Trying to ReadMemory 0xE16BEA98[0x18]
20:21:14:718 0204 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CREATE : F84BBBB0
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CLOSE : F84BBBB0
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_READ : F84B5D1F
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_WRITE : F84B5D1F
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F84B62E2
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F84B63BB
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F84B9F28
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SHUTDOWN : F84B62E2
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_POWER : F84B7C82
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F84BC99E
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
20:21:14:718 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:718 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:718 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:765 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:21:14:765 0204
20:21:14:765 0204 DetectCureTDL3: DEVICE_OBJECT: 82BCF030
20:21:14:765 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BCF030
20:21:14:765 0204 KLMD_ReadMem: Trying to ReadMemory 0x82BCF030[0x38]
20:21:14:765 0204 DetectCureTDL3: DRIVER_OBJECT: 82B36900
20:21:14:765 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B36900[0xA8]
20:21:14:765 0204 KLMD_ReadMem: Trying to ReadMemory 0xE16BEA98[0x18]
20:21:14:765 0204 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CREATE : F84BBBB0
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CLOSE : F84BBBB0
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_READ : F84B5D1F
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_WRITE : F84B5D1F
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F84B62E2
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F84B63BB
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F84B9F28
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SHUTDOWN : F84B62E2
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_POWER : F84B7C82
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F84BC99E
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
20:21:14:765 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:765 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:765 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:781 0204 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:21:14:781 0204
20:21:14:781 0204 DetectCureTDL3: DEVICE_OBJECT: 82B8BAB8
20:21:14:781 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B8BAB8
20:21:14:781 0204 DetectCureTDL3: DEVICE_OBJECT: 82B5F1F8
20:21:14:781 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B5F1F8
20:21:14:781 0204 DetectCureTDL3: DEVICE_OBJECT: 82B37B58
20:21:14:781 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B37B58
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B37B58[0x38]
20:21:14:781 0204 DetectCureTDL3: DRIVER_OBJECT: 82B5F400
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B5F400[0xA8]
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0xE16C3FE0[0x1A]
20:21:14:781 0204 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CREATE : F82EA6F2
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CLOSE : F82EA6F2
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_READ : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_WRITE : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F82EA712
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F82E6852
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_POWER : F82EA73C
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F82F1336
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
20:21:14:781 0204 TDL3_FileDetect: Processing driver: atapi
20:21:14:781 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:781 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0xF82E7864[0x400]
20:21:14:781 0204 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
20:21:14:781 0204 TDL3_FileDetect: Processing driver: atapi
20:21:14:781 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:781 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:796 0204 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
20:21:14:796 0204
20:21:14:796 0204 Completed
20:21:14:796 0204
20:21:14:796 0204 Results:
20:21:14:796 0204 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:14:796 0204 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:14:796 0204 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:14:796 0204
20:21:14:796 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:21:14:796 0204 UtilityDeinit: KLMD(ARK) unloaded successfully
20:21:14:015 0204 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
20:21:14:015 0204 ================================================================================
20:21:14:015 0204 SystemInfo:
20:21:14:015 0204 OS Version: 5.1.2600 ServicePack: 3.0
20:21:14:015 0204 Product type: Workstation
20:21:14:015 0204 ComputerName: ACER-CELERON-M
20:21:14:015 0204 UserName: Bea
20:21:14:015 0204 Windows directory: C:\WINDOWS
20:21:14:015 0204 Processor architecture: Intel x86
20:21:14:015 0204 Number of processors: 1
20:21:14:015 0204 Page size: 0x1000
20:21:14:015 0204 Boot type: Normal boot
20:21:14:015 0204 ================================================================================
20:21:14:046 0204 UnloadDriverW: NtUnloadDriver error 2
20:21:14:046 0204 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:21:14:078 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:21:14:187 0204 UtilityInit: KLMD drop and load success
20:21:14:187 0204 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
20:21:14:187 0204 UtilityInit: KLMD open success
20:21:14:187 0204 UtilityInit: Initialize success
20:21:14:187 0204
20:21:14:187 0204 Scanning Services ...
20:21:14:187 0204 CreateRegParser: Registry parser init started
20:21:14:187 0204 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
20:21:14:187 0204 CreateRegParser: DisableWow64Redirection error
20:21:14:187 0204 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:21:14:187 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
20:21:14:187 0204 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:14:187 0204 wfopen_ex: Trying to KLMD file open
20:21:14:187 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
20:21:14:187 0204 wfopen_ex: File opened ok (Flags 2)
20:21:14:187 0204 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 344B00
20:21:14:187 0204 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:21:14:187 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
20:21:14:187 0204 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:21:14:187 0204 wfopen_ex: Trying to KLMD file open
20:21:14:187 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
20:21:14:187 0204 wfopen_ex: File opened ok (Flags 2)
20:21:14:187 0204 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 344BA8
20:21:14:187 0204 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
20:21:14:187 0204 CreateRegParser: EnableWow64Redirection error
20:21:14:187 0204 CreateRegParser: RegParser init completed
20:21:14:703 0204 GetAdvancedServicesInfo: Raw services enum returned 366 services
20:21:14:718 0204 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:21:14:718 0204 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:21:14:718 0204
20:21:14:718 0204 Scanning Kernel memory ...
20:21:14:718 0204 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:21:14:718 0204 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 82B36900
20:21:14:718 0204 DetectCureTDL3: KLMD_GetDeviceObjectList returned 3 DevObjects
20:21:14:718 0204
20:21:14:718 0204 DetectCureTDL3: DEVICE_OBJECT: 82BCFC68
20:21:14:718 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BCFC68
20:21:14:718 0204 KLMD_ReadMem: Trying to ReadMemory 0x82BCFC68[0x38]
20:21:14:718 0204 DetectCureTDL3: DRIVER_OBJECT: 82B36900
20:21:14:718 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B36900[0xA8]
20:21:14:718 0204 KLMD_ReadMem: Trying to ReadMemory 0xE16BEA98[0x18]
20:21:14:718 0204 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CREATE : F84BBBB0
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CLOSE : F84BBBB0
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_READ : F84B5D1F
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_WRITE : F84B5D1F
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F84B62E2
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F84B63BB
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F84B9F28
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SHUTDOWN : F84B62E2
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_POWER : F84B7C82
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F84BC99E
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
20:21:14:718 0204 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
20:21:14:718 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:718 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:718 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:765 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:21:14:765 0204
20:21:14:765 0204 DetectCureTDL3: DEVICE_OBJECT: 82BCF030
20:21:14:765 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82BCF030
20:21:14:765 0204 KLMD_ReadMem: Trying to ReadMemory 0x82BCF030[0x38]
20:21:14:765 0204 DetectCureTDL3: DRIVER_OBJECT: 82B36900
20:21:14:765 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B36900[0xA8]
20:21:14:765 0204 KLMD_ReadMem: Trying to ReadMemory 0xE16BEA98[0x18]
20:21:14:765 0204 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CREATE : F84BBBB0
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CLOSE : F84BBBB0
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_READ : F84B5D1F
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_WRITE : F84B5D1F
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : F84B62E2
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F84B63BB
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F84B9F28
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SHUTDOWN : F84B62E2
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_POWER : F84B7C82
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F84BC99E
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
20:21:14:765 0204 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
20:21:14:765 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:765 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 TDL3_FileDetect: Processing driver: Disk
20:21:14:765 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:765 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
20:21:14:781 0204 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
20:21:14:781 0204
20:21:14:781 0204 DetectCureTDL3: DEVICE_OBJECT: 82B8BAB8
20:21:14:781 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B8BAB8
20:21:14:781 0204 DetectCureTDL3: DEVICE_OBJECT: 82B5F1F8
20:21:14:781 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B5F1F8
20:21:14:781 0204 DetectCureTDL3: DEVICE_OBJECT: 82B37B58
20:21:14:781 0204 KLMD_GetLowerDeviceObject: Trying to get lower device object for 82B37B58
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B37B58[0x38]
20:21:14:781 0204 DetectCureTDL3: DRIVER_OBJECT: 82B5F400
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0x82B5F400[0xA8]
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0xE16C3FE0[0x1A]
20:21:14:781 0204 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CREATE : F82EA6F2
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CLOSE : F82EA6F2
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_READ : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_WRITE : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_EA : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : F82EA712
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : F82E6852
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CLEANUP : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_POWER : F82EA73C
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : F82F1336
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F355A
20:21:14:781 0204 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F355A
20:21:14:781 0204 TDL3_FileDetect: Processing driver: atapi
20:21:14:781 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:781 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:781 0204 KLMD_ReadMem: Trying to ReadMemory 0xF82E7864[0x400]
20:21:14:781 0204 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
20:21:14:781 0204 TDL3_FileDetect: Processing driver: atapi
20:21:14:781 0204 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:781 0204 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
20:21:14:796 0204 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
20:21:14:796 0204
20:21:14:796 0204 Completed
20:21:14:796 0204
20:21:14:796 0204 Results:
20:21:14:796 0204 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:14:796 0204 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:14:796 0204 File objects infected / cured / cured on reboot: 0 / 0 / 0
20:21:14:796 0204
20:21:14:796 0204 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
20:21:14:796 0204 UtilityDeinit: KLMD(ARK) unloaded successfully
#50
Posted 19 February 2010 - 07:38 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
OK it worked but found nothing. Let's see if we can figure out where the redirect is happening.
Start, Run, cmd, OK
nslookup google.com > \junk.txt
notepad \junk.txt
copy and paste the text into a reply.
Is this redirect only in IE now? Or is it also in Firefox and Chrome?
Ron
Start, Run, cmd, OK
nslookup google.com > \junk.txt
notepad \junk.txt
copy and paste the text into a reply.
Is this redirect only in IE now? Or is it also in Firefox and Chrome?
Ron
#51
Posted 19 February 2010 - 07:56 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
Server: home
Address: 192.168.1.254
DNS request timed out.
timeout was 2 seconds.
Address: 192.168.1.254
DNS request timed out.
timeout was 2 seconds.
#52
Posted 19 February 2010 - 08:00 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
It's happening in all three browsers. In Firefox, the search results are different language and it looks like a rogue google page. In Chrome, when I go to Google, it's a rogue page.
#53
Posted 19 February 2010 - 08:42 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
How do you connect to the internet? Is there a router or just a dsl/cable modem?
Open a browser and type in:
74.125.53.104
then hit Enter.
Does it go to google.com?
Ron
Open a browser and type in:
74.125.53.104
then hit Enter.
Does it go to google.com?
Ron
#54
Posted 19 February 2010 - 09:26 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
Yes it went to Google.com. To search Google from the search bar - it goes to this "find Gala" each time. I am connected to a DSL modem - AT&T.
#55
Posted 19 February 2010 - 09:33 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
If you search from the real google.com do the search links go where they should?
Close all broswers.
1. Click "Start," (click "Settings,") click "Control Panel," click "Network and Sharing Center," and then click "View Status", Click "Properties,"
2. Click on Internet Protocol Version 4 (TCP/IPv4) (On the text not the check box) then Click on Properties
3. Click "Use the following DNS server addresses," and then type 199.166.28.10 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.
4. Click "OK" and close all of the windows that have opened.
Start, Run, cmd, OK and type:
ipconfig /flushdns
exit
Now try it.
Does it still go bad?
Ron
Close all broswers.
1. Click "Start," (click "Settings,") click "Control Panel," click "Network and Sharing Center," and then click "View Status", Click "Properties,"
2. Click on Internet Protocol Version 4 (TCP/IPv4) (On the text not the check box) then Click on Properties
3. Click "Use the following DNS server addresses," and then type 199.166.28.10 in the Preferred DNS server and 4.2.2.1 in the Alternate DNS server boxes.
4. Click "OK" and close all of the windows that have opened.
Start, Run, cmd, OK and type:
ipconfig /flushdns
exit
Now try it.
Does it still go bad?
Ron
#56
Posted 19 February 2010 - 10:09 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
Firefox and Chrome are okay. But in IE8, when I search google - still going to Find Gala. If I search from the website, it's fine.
#57
Posted 19 February 2010 - 11:06 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Open Notepad (Start, Run, notepad, OK) and then File, Open and find:
\windows\system32\drivers\etc\hosts
Find the line that says
127.0.0.1 localhost
Delete everything below it.
Add below that line:
74.125.53.106 findgala.com
then File, Save, and exit.
Now try it.
\windows\system32\drivers\etc\hosts
Find the line that says
127.0.0.1 localhost
Delete everything below it.
Add below that line:
74.125.53.106 findgala.com
then File, Save, and exit.
Now try it.
#58
Posted 19 February 2010 - 11:17 PM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
When I opened "etc" there was nothing in the folder.
#59
Posted 20 February 2010 - 12:10 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
hosts is a hidden system file so you may not have your system set up to see them yet. I thought they had you do that in the intro but here is how you do it:
If using Windows XP:
* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.
See if you can find hosts now.
I've done some research on findgal.com and it appears they modify the registry and stick something in the application data folders so let's see if we can get this otl search to work. It's going to take a few minutes to run.
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
dir /a "\Documents and Settings\Bea\Local Settings\Application Data" /c
dir /a "\Documents and Settings\All Users\Application Data" /c
hklm\software|gala /RS
hkcu\software|gala /RS
:Commands
[Reboot]
*******************************************************************
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.
Post the log it produces in your next reply.
Ron
If using Windows XP:
* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.
See if you can find hosts now.
I've done some research on findgal.com and it appears they modify the registry and stick something in the application data folders so let's see if we can get this otl search to work. It's going to take a few minutes to run.
Copy the text between the lines of stars by highlighting and Ctrl + c
***************************************************************************************************
dir /a "\Documents and Settings\Bea\Local Settings\Application Data" /c
dir /a "\Documents and Settings\All Users\Application Data" /c
hklm\software|gala /RS
hkcu\software|gala /RS
:Commands
[Reboot]
*******************************************************************
then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done.
Post the log it produces in your next reply.
Ron
#60
Posted 20 February 2010 - 02:02 AM
butterrice
- Topic Starter
-
- Member
-
- 403 posts
Member
Okay - I followed your instructions for the "hosts" and I still had an empty "Etc" folder. I ran the OTL and it didn't produce a report. I ran it twice b/c I thought I did something wrong, but it didn't produce a report either time.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
