Solve : PAGE REDIRECT VIRUS????

1.	Solve : PAGE REDIRECT VIRUS????
Answer» DOWNLOAD this << file >> & extract TDSSKiller.exe onto your Desktop Then create this batch file to be placed next to TDSSKiller ===== Open NOTEPAD.exe and copy/paste the text in the quotebox below into it: Code: [Select]@ECHO OFF START /WAIT TDSSKILLER.exe -l Logit.txt -v START Logit.txt del %0Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it saysThanks DMJ for getting back to me I know your a busy guy, I have the log it appears to have found something and I'm sending a SCREEN SHOT of what it did before I had to rebbot my comp. I haven't checked to see if the problem presist(try any search engine), I'll wait till you tell me. MODIFIED:On second thought I tried my search engines and they are working and alot faster, so I'll just wait till you tell me my next scan and clean-up options. ------------------------------------------------------------------------------------------------------------- 23:31:37:467 3088TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00 23:31:37:467 3088================================================================================ 23:31:37:467 3088SystemInfo: 23:31:37:467 3088OS Version: 6.0.6002 ServicePack: 2.0 23:31:37:467 3088Product type: Workstation 23:31:37:467 3088ComputerName: J-BIRD-PC 23:31:37:468 3088UserName: J-BIRD 23:31:37:468 3088Windows directory: C:\Windows 23:31:37:468 3088Processor architecture: Intel x86 23:31:37:468 3088Number of processors: 2 23:31:37:468 3088Page size: 0x1000 23:31:37:471 3088Boot type: Normal boot 23:31:37:471 3088================================================================================ 23:31:37:475 3088ForceUnloadDriverW: Old driver(klmd21) unloaded successfully 23:31:38:098 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000 23:31:38:109 3088UtilityInit: KLMD drop and load success 23:31:38:109 3088KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010) 23:31:38:109 3088UtilityInit: KLMD open success 23:31:38:109 3088UtilityInit: Initialize success 23:31:38:109 3088 23:31:38:110 3088ScanningServices ... 23:31:38:110 3088CreateRegParser: Registry parser init started 23:31:38:110 3088CreateRegParser: DisableWow64Redirection error 23:31:38:110 3088wfopen_ex: Trying to open file C:\Windows\system32\config\system 23:31:38:110 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043 23:31:38:110 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043) 23:31:38:110 3088wfopen_ex: Trying to KLMD file open 23:31:38:111 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system 23:31:38:111 3088wfopen_ex: File opened ok (Flags 2) 23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1BA1290 23:31:38:134 3088wfopen_ex: Trying to open file C:\Windows\system32\config\software 23:31:38:134 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043 23:31:38:134 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043) 23:31:38:134 3088wfopen_ex: Trying to KLMD file open 23:31:38:134 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software 23:31:38:134 3088wfopen_ex: File opened ok (Flags 2) 23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1BA12B8 23:31:38:134 3088CreateRegParser: EnableWow64Redirection error 23:31:38:135 3088CreateRegParser: RegParser init completed 23:31:39:136 3088GetAdvancedServicesInfo: Raw services enum returned 436 services 23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\system 23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\software 23:31:39:280 3088 23:31:39:281 3088ScanningKernel memory ... 23:31:39:281 3088KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk 23:31:39:281 3088DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84FDDB00 23:31:39:281 3088DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects 23:31:39:281 3088 23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB467A8 23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB467A8 23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB302E8 23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB302E8 23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x8DB302E8[0x38] 23:31:39:281 3088DetectCureTDL3: DRIVER_OBJECT: 85AA2F38 23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x85AA2F38[0xA8] 23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x85AB2E48[0x1C] 23:31:39:282 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\RTSTOR, Driver Name: RTSTOR 23:31:39:282 3088DetectCureTDL3: IrpHandler (0) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (1) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (2) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (3) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (4) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (5) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (6) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (7) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler ( addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (9) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (10) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (11) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (12) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (13) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (14) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (15) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (16) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (17) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (18) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (19) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (20) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (21) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (22) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (23) addr: 8ACDB30E 23:31:39:282 3088DetectCureTDL3: IrpHandler (24) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (25) addr: 81C409D2 23:31:39:282 3088DetectCureTDL3: IrpHandler (26) addr: 81C409D2 23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x8ACD9C94[0x400] 23:31:39:283 3088TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0 23:31:39:283 3088TDL3_FileDetect: Processing driver: RTSTOR 23:31:39:283 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\RTSTOR.SYS 23:31:39:283 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\RTSTOR.SYS 23:31:39:308 3088TDL3_FileDetect: C:\Windows\system32\drivers\RTSTOR.SYS - Verdict: Clean 23:31:39:309 3088 23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 844B0AC8 23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 844B0AC8 23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 843AA918 23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 843AA918 23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 8398F528 23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8398F528 23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8398F528[0x38] 23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT: 8432FBB8 23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8432FBB8[0xA8] 23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x839ABC20[0x1A] 23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi 23:31:39:309 3088DetectCureTDL3: IrpHandler (0) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (1) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (2) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (3) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (4) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (5) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (6) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (7) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler ( addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (9) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (10) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (11) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (12) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (13) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (14) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (15) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (16) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (17) addr: 807209B0 23:31:39:309 3088DetectCureTDL3: IrpHandler (18) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (19) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (20) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (21) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (22) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (23) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (24) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (25) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: IrpHandler (26) addr: 807209B0 23:31:39:310 3088DetectCureTDL3: All IRP handlers pointed to one addr: 807209B0 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x807209B0[0x400] 23:31:39:310 3088TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4] 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x8432F58C[0x4] 23:31:39:310 3088TDL3_IrpHookDetect: New IrpHandler addr: 857988C8 23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x857988C8[0x400] 23:31:39:310 3088TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120 23:31:39:310 3088Driver "atapi" Irp handler infected by TDSS rootkit ... 23:31:39:311 3088KLMD_WriteMem: Trying to WriteMemory 0x8579894E[0xD] 23:31:39:311 3088cured 23:31:39:311 3088TDL3_FileDetect: Processing driver: atapi 23:31:39:312 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys 23:31:39:312 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys 23:31:39:323 3088TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected 23:31:39:323 3088File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 23:31:39:323 3088TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys 23:31:42:589 3088FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys:19944, checking.. 23:31:42:596 3088ValidateDriverFile: Stage 1 passed 23:31:42:598 3088ValidateDriverFile: Stage 2 passed 23:31:42:779 3088DigitalSignVerifyByHandle: Embedded DS result: 00000000 23:31:42:779 3088ValidateDriverFile: Stage 3 passed 23:31:42:779 3088FileCallback: File validated successfully, restore information prepared 23:31:46:346 3088FindDriverFileBackup: Backup copy found in DriverStore 23:31:46:346 3088TDL3_FileCure: Backup copy found, using it.. 23:31:46:347 3088TDL3_FileCure: Dumping CURED buffer to file C:\Windows\system32\drivers\tsk2FAC.tmp 23:31:46:495 3088TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk2FAC.tmp, system32\drivers\atapi.sys) 23:31:46:495 3088TDL3_FileCure: KLMD jobs schedule success 23:31:46:495 3088will be cured on next reboot 23:31:46:496 3088UtilityBootReinit: Reboot required for cure complete.. 23:31:46:496 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000 23:31:46:579 3088UtilityBootReinit: KLMD drop success 23:31:46:586 3088KLMD_ApplyPendList: Pending buffer(5009_66A6, 616) dropped successfully 23:31:46:586 3088UtilityBootReinit: Cure on reboot scheduled successfully 23:31:46:586 3088 23:31:46:587 3088Completed 23:31:46:587 3088 23:31:46:587 3088Results: 23:31:46:588 3088Memory objects infected / cured / cured on reboot:1 / 1 / 0 23:31:46:588 3088Registry objects infected / cured / cured on reboot:0 / 0 / 0 23:31:46:588 3088File objects infected / cured / cured on reboot:1 / 0 / 1 23:31:46:589 3088 23:31:46:589 3088UnloadDriverW: NtUnloadDriver error 1 23:31:46:589 3088KLMD_Unload: UnloadDriverW(klmd21) error 1 23:31:46:590 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000 23:31:46:590 3088UtilityDeinit: KLMD(ARK) unloaded successfully [Saving space, attachment deleted by admin] Please download Rooter and Save it to your desktop Double click it to start the tool. Click Scan. Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply. [/list]Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows Vista Home Edition (6.0.6002) Service Pack 2 [32_bits] - x86 Family 15 Model 104 Stepping 1, AuthenticAMD . [wscsvc] (Security Center) RUNNING (state:4) [MpsSvc] RUNNING (state:4) Windows Firewall -> Enabled Windows Defender -> Enabled User Account Control (UAC) -> Disabled ! . Internet Explorer 8.0.6001.18882 . C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:156 Go ) D:\ [CD_Rom] F:\ [Removable] . Scan : 00:06.22 Path : C:\Users\J-BIRD\Desktop\Rooter.exe User : J-BIRD ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) Locked System (4) ______ \SystemRoot\System32\smss.exe (400) ______ C:\Windows\system32\csrss.exe (540) ______ C:\Windows\system32\wininit.exe (604) ______ C:\Windows\system32\csrss.exe (616) ______ C:\Windows\system32\services.exe (648) ______ C:\Windows\system32\lsass.exe (660) ______ C:\Windows\system32\lsm.exe (668) ______ C:\Windows\system32\winlogon.exe (764) ______ C:\Windows\system32\svchost.exe (864) ______ C:\Windows\system32\svchost.exe (924) ______ C:\Windows\system32\Ati2evxx.exe (960) ______ C:\Windows\System32\svchost.exe (1036) ______ C:\Windows\System32\svchost.exe (1120) ______ C:\Windows\system32\svchost.exe (1140) Locked audiodg.exe (1220) ______ C:\Windows\system32\svchost.exe (1248) ______ C:\Windows\system32\SLsvc.exe (1272) ______ C:\Windows\system32\svchost.exe (1364) ______ C:\Windows\system32\Ati2evxx.exe (1452) ______ C:\Windows\system32\svchost.exe (1584) ______ C:\Windows\System32\spoolsv.exe (1812) ______ C:\Windows\system32\svchost.exe (1836) ______ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (320) ______ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (508) ______ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (1176) ______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (1580) ______ C:\Program Files\McAfee\MPF\MPFSrv.exe (736) ______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (1284) ______ C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe (496) ______ C:\Windows\system32\svchost.exe (2120) ______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (2172) ______ C:\Program Files\IDT\WDM\STacSV.exe (2204) ______ C:\Windows\system32\svchost.exe (2252) ______ C:\Windows\System32\svchost.exe (2296) ______ C:\Windows\system32\SearchIndexer.exe (2320) ______ C:\Windows\system32\WUDFHost.exe (2452) ______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (2976) ______ C:\Windows\system32\taskeng.exe (3008) ______ C:\Windows\system32\taskeng.exe (3700) ______ c:\PROGRA~1\mcafee.com\agent\mcagent.exe (3760) ______ C:\Windows\system32\Dwm.exe (3840) ______ C:\Windows\Explorer.EXE (3900) ______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2088) ______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (712) ______ C:\Windows\sttray.exe (2828) ______ C:\Windows\ehome\ehtray.exe (1916) ______ C:\Windows\ehome\ehmsas.exe (2380) ______ C:\Program Files\Windows Media Player\wmpnscfg.exe (3468) ______ C:\Program Files\Windows Media Player\wmpnetwk.exe (3920) ______ C:\Windows\system32\wbem\unsecapp.exe (1024) ______ C:\Windows\system32\wbem\wmiprvse.exe (720) ______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (2660) ______ C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (2532) ______ C:\Windows\system32\taskeng.exe (4576) ______ C:\Windows\system32\SearchProtocolHost.exe (6052) ______ C:\Windows\system32\SearchFilterHost.exe (6068) ______ C:\Windows\system32\SearchProtocolHost.exe (3276) ______ C:\Users\J-BIRD\Desktop\Rooter.exe (5384) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 \| Length:250057064448) . ----------------------\\ Scheduled Tasks . C:\Windows\Tasks\McDefragTask.job C:\Windows\Tasks\McQcTask.job C:\Windows\Tasks\SA.DAT C:\Windows\Tasks\SCHEDLGU.TXT C:\Windows\Tasks\User_Feed_Synchronization-{7B7886CB-F69B-46D3-802C-6198EA461B1C}.job . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 00:06.30 . C:\Rooter$\Rooter_1.txt - (15/02/2010 \| 00:06.30) Last rootkit check. Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop. Double-click mbr.exe to start the program. When done scanning, it will save a log on the Desktop called mbr.log. Please post the contents of that log in your next reply. Here ya go I also have a question on a service not running and I cant find it I'll sen two screenshots of it I cant find this file when I search and I have show hidden folder options on. I put it into google before I posted it here and the result was 1 this topic here. --------------------------------------------------------------------------------------------------------- Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK [Saving space, attachment deleted by admin]Atapi.sys is a core system file that got infected by the TDSS rootkit, a very serious infection. It was disinfected by TDSSkiller. What other Windows Service were you talking about?IT is these 3 services I dont know what they are they are stopped in my service list SRV - File not found [On_Demand \| Stopped] -- -- (URRB) SRV - File not found [On_Demand \| Stopped] -- -- (NZSCXJXN) SRV - File not found [On_Demand \| Stopped] -- -- (KEA) this came from the first OTL Log you requested. I was just wondering if they are harmful . they are unknown services with no description of what they do. When I go to the highlighted folder destination it doesnt exist, but the service is still on the list [stopped] just wondering if I even need to worry about it, EVERYTHING SEEMS TO BE RUNNING WONDERFULLY, I can't thank you enough there should be a donate button in the forum somewhere [Saving space, attachment deleted by admin]Didnt mean to bump, but I removed the 3 services through the registry from the services list. I don't see em anymore and I have more peace of mind. I just didnt like seeing them there To manually create a new Restore Point Go to Control Panel and select System and Maintenance Select System On the left select Advance System Settings and accept the warning if you get one Select System Protection Tab Select Create at the bottom Type in a name i.e. Clean Select Create Now we can purge the infected ones Go back to the System and Maintenance page Select Performance Information and Tools On the left select Open Disk Cleanup Select Files from all users and accept the warning if you get one In the drop down box select your main drive i.e. C For a few moments the system will make some calculations Select the More Options tab In the System Restore and Shadow Backups select Clean up Select Delete on the POP up Select OK Select Delete You are now done To remove all of the tools we used and the files and folders they created, please do the following: Please download OTC.exe by OldTimer: Save it to your Desktop. Double click OTC.exe. Click the CleanUp! button. If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes. Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. == Please download TFC by OldTimer to your desktop Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). It will close all programs when run, so make sure you have saved all your work before you begin. Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion. Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean. == Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr. Save it to your Desktop. Double click SecurityCheck.exe and follow the ONSCREEN instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document. Heres the log dude it looks good to me and I want to thank you very much for help you saved my bacon. I'm gonna keep SAS and Malbytes. Will running SAS with Mcaffe be problem I noticed it takes a little longer to boot up, but I can live with that. ----------------------------------------------------------------------------------------------------------- Results of screen317's Security Check version 0.99.1 Windows Vista Service Pack 2 (UAC is disabled!) `````````````````````````````` Antivirus/Firewall Check: Windows Firewall Disabled! ESET Online Scanner v3 McAfee SecurityCenter WMIC entry does not exist for antivirus; attempting automatic update. `````````````````````````````` Anti-malware/Other Utilities Check: SUPERAntiSpyware Free Edition HijackThis 2.0.2 Java(TM) 6 Update 18 Java AUTO Updater Out of date Java installed! Adobe Flash Player 10 Adobe Reader 9.3 `````````````````````````````` Process Check: objlist.exe by Laurent McAfee VIRUSS~1 mcshield.exe McAfee VIRUSS~1 mcsysmon.exe `````````````````````````````` DNS Vulnerability Check: GREAT! (Not vulnerable to DNS cache poisoning) `````````End of Log```````````Seems fine to me to run them. Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection. Software recommendations AntiSpyware SpywareBlaster SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here. Spybot - Search & Destroy. Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot). NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. Resident Protection help A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them. Rogue programs help There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here: http://www.spywarewarrior.com/rogue_anti-spyware.htm Securing your computer Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there. hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future. Please consider using an alternate browser Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option. If you are interested: Firefox may be downloaded from here: http://www.getfirefox.com Opera is available here: http://www.opera.com/download/ Sounds good and thanks for the help again YOU THE MAN;D

Answer» DOWNLOAD this << file >> & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code: [Select]@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it saysThanks DMJ for getting back to me I know your a busy guy, I have the log it appears to have found something and I'm sending a SCREEN SHOT of what it did before I had to rebbot my comp. I haven't checked to see if the problem presist(try any search engine), I'll wait till you tell me.

MODIFIED:On second thought I tried my search engines and they are working and alot faster, so I'll just wait till you tell me my next scan and clean-up options.

-------------------------------------------------------------------------------------------------------------

23:31:37:467 3088TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
23:31:37:467 3088================================================================================
23:31:37:467 3088SystemInfo:

23:31:37:467 3088OS Version: 6.0.6002 ServicePack: 2.0
23:31:37:467 3088Product type: Workstation
23:31:37:467 3088ComputerName: J-BIRD-PC
23:31:37:468 3088UserName: J-BIRD
23:31:37:468 3088Windows directory: C:\Windows
23:31:37:468 3088Processor architecture: Intel x86
23:31:37:468 3088Number of processors: 2
23:31:37:468 3088Page size: 0x1000
23:31:37:471 3088Boot type: Normal boot
23:31:37:471 3088================================================================================
23:31:37:475 3088ForceUnloadDriverW: Old driver(klmd21) unloaded successfully
23:31:38:098 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:31:38:109 3088UtilityInit: KLMD drop and load success
23:31:38:109 3088KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
23:31:38:109 3088UtilityInit: KLMD open success
23:31:38:109 3088UtilityInit: Initialize success
23:31:38:109 3088
23:31:38:110 3088ScanningServices ...
23:31:38:110 3088CreateRegParser: Registry parser init started
23:31:38:110 3088CreateRegParser: DisableWow64Redirection error
23:31:38:110 3088wfopen_ex: Trying to open file C:\Windows\system32\config\system
23:31:38:110 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
23:31:38:110 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:31:38:110 3088wfopen_ex: Trying to KLMD file open
23:31:38:111 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
23:31:38:111 3088wfopen_ex: File opened ok (Flags 2)
23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 1BA1290
23:31:38:134 3088wfopen_ex: Trying to open file C:\Windows\system32\config\software
23:31:38:134 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
23:31:38:134 3088wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:31:38:134 3088wfopen_ex: Trying to KLMD file open
23:31:38:134 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
23:31:38:134 3088wfopen_ex: File opened ok (Flags 2)
23:31:38:134 3088CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 1BA12B8
23:31:38:134 3088CreateRegParser: EnableWow64Redirection error
23:31:38:135 3088CreateRegParser: RegParser init completed
23:31:39:136 3088GetAdvancedServicesInfo: Raw services enum returned 436 services
23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\system
23:31:39:280 3088fclose_ex: Trying to close file C:\Windows\system32\config\software
23:31:39:280 3088
23:31:39:281 3088ScanningKernel memory ...
23:31:39:281 3088KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:31:39:281 3088DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 84FDDB00
23:31:39:281 3088DetectCureTDL3: KLMD_GetDeviceObjectList returned 2 DevObjects
23:31:39:281 3088
23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB467A8
23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB467A8
23:31:39:281 3088DetectCureTDL3: DEVICE_OBJECT: 8DB302E8
23:31:39:281 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8DB302E8
23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x8DB302E8[0x38]
23:31:39:281 3088DetectCureTDL3: DRIVER_OBJECT: 85AA2F38
23:31:39:281 3088KLMD_ReadMem: Trying to ReadMemory 0x85AA2F38[0xA8]
23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x85AB2E48[0x1C]
23:31:39:282 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\RTSTOR, Driver Name: RTSTOR
23:31:39:282 3088DetectCureTDL3: IrpHandler (0) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (1) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (2) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (3) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (4) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (5) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (6) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (7) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler ( addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (9) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (10) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (11) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (12) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (13) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (14) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (15) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (16) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (17) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (18) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (19) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (20) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (21) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (22) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (23) addr: 8ACDB30E
23:31:39:282 3088DetectCureTDL3: IrpHandler (24) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (25) addr: 81C409D2
23:31:39:282 3088DetectCureTDL3: IrpHandler (26) addr: 81C409D2
23:31:39:282 3088KLMD_ReadMem: Trying to ReadMemory 0x8ACD9C94[0x400]
23:31:39:283 3088TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
23:31:39:283 3088TDL3_FileDetect: Processing driver: RTSTOR
23:31:39:283 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\RTSTOR.SYS
23:31:39:283 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\RTSTOR.SYS
23:31:39:308 3088TDL3_FileDetect: C:\Windows\system32\drivers\RTSTOR.SYS - Verdict: Clean
23:31:39:309 3088
23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 844B0AC8
23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 844B0AC8
23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 843AA918
23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 843AA918
23:31:39:309 3088DetectCureTDL3: DEVICE_OBJECT: 8398F528
23:31:39:309 3088KLMD_GetLowerDeviceObject: Trying to get lower device object for 8398F528
23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8398F528[0x38]
23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT: 8432FBB8
23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x8432FBB8[0xA8]
23:31:39:309 3088KLMD_ReadMem: Trying to ReadMemory 0x839ABC20[0x1A]
23:31:39:309 3088DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
23:31:39:309 3088DetectCureTDL3: IrpHandler (0) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (1) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (2) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (3) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (4) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (5) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (6) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (7) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler ( addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (9) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (10) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (11) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (12) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (13) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (14) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (15) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (16) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (17) addr: 807209B0
23:31:39:309 3088DetectCureTDL3: IrpHandler (18) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (19) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (20) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (21) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (22) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (23) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (24) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (25) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: IrpHandler (26) addr: 807209B0
23:31:39:310 3088DetectCureTDL3: All IRP handlers pointed to one addr: 807209B0
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x807209B0[0x400]
23:31:39:310 3088TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x8432F58C[0x4]
23:31:39:310 3088TDL3_IrpHookDetect: New IrpHandler addr: 857988C8
23:31:39:310 3088KLMD_ReadMem: Trying to ReadMemory 0x857988C8[0x400]
23:31:39:310 3088TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
23:31:39:310 3088Driver "atapi" Irp handler infected by TDSS rootkit ... 23:31:39:311 3088KLMD_WriteMem: Trying to WriteMemory 0x8579894E[0xD]
23:31:39:311 3088cured
23:31:39:311 3088TDL3_FileDetect: Processing driver: atapi
23:31:39:312 3088TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:31:39:312 3088KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\atapi.sys
23:31:39:323 3088TDL3_FileDetect: C:\Windows\system32\drivers\atapi.sys - Verdict: Infected
23:31:39:323 3088File C:\Windows\system32\drivers\atapi.sys infected by TDSS rootkit ... 23:31:39:323 3088TDL3_FileCure: Processing driver file: C:\Windows\system32\drivers\atapi.sys
23:31:42:589 3088FileCallback: Backup candidate found: C:\Windows\system32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys:19944, checking..
23:31:42:596 3088ValidateDriverFile: Stage 1 passed
23:31:42:598 3088ValidateDriverFile: Stage 2 passed
23:31:42:779 3088DigitalSignVerifyByHandle: Embedded DS result: 00000000
23:31:42:779 3088ValidateDriverFile: Stage 3 passed
23:31:42:779 3088FileCallback: File validated successfully, restore information prepared
23:31:46:346 3088FindDriverFileBackup: Backup copy found in DriverStore
23:31:46:346 3088TDL3_FileCure: Backup copy found, using it..
23:31:46:347 3088TDL3_FileCure: Dumping CURED buffer to file C:\Windows\system32\drivers\tsk2FAC.tmp
23:31:46:495 3088TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk2FAC.tmp, system32\drivers\atapi.sys)
23:31:46:495 3088TDL3_FileCure: KLMD jobs schedule success
23:31:46:495 3088will be cured on next reboot
23:31:46:496 3088UtilityBootReinit: Reboot required for cure complete..
23:31:46:496 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmdb.sys) returned status 00000000
23:31:46:579 3088UtilityBootReinit: KLMD drop success
23:31:46:586 3088KLMD_ApplyPendList: Pending buffer(5009_66A6, 616) dropped successfully
23:31:46:586 3088UtilityBootReinit: Cure on reboot scheduled successfully
23:31:46:586 3088
23:31:46:587 3088Completed
23:31:46:587 3088
23:31:46:587 3088Results:
23:31:46:588 3088Memory objects infected / cured / cured on reboot:1 / 1 / 0
23:31:46:588 3088Registry objects infected / cured / cured on reboot:0 / 0 / 0
23:31:46:588 3088File objects infected / cured / cured on reboot:1 / 0 / 1
23:31:46:589 3088
23:31:46:589 3088UnloadDriverW: NtUnloadDriver error 1
23:31:46:589 3088KLMD_Unload: UnloadDriverW(klmd21) error 1
23:31:46:590 3088MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
23:31:46:590 3088UtilityDeinit: KLMD(ARK) unloaded successfully

[Saving space, attachment deleted by admin]

Please download Rooter and Save it to your desktop

Double click it to start the tool.
Click Scan.
Eventually, a Notepad file containing the report will open, also found at C:\Rooter.txt. Post that log in your next reply.

[/list]Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6002) Service Pack 2
[32_bits] - x86 Family 15 Model 104 Stepping 1, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Disabled !
.
Internet Explorer 8.0.6001.18882
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:156 Go )
D:\ [CD_Rom]
F:\ [Removable]
.
Scan : 00:06.22
Path : C:\Users\J-BIRD\Desktop\Rooter.exe
User : J-BIRD ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (400)
______ C:\Windows\system32\csrss.exe (540)
______ C:\Windows\system32\wininit.exe (604)
______ C:\Windows\system32\csrss.exe (616)
______ C:\Windows\system32\services.exe (648)
______ C:\Windows\system32\lsass.exe (660)
______ C:\Windows\system32\lsm.exe (668)
______ C:\Windows\system32\winlogon.exe (764)
______ C:\Windows\system32\svchost.exe (864)
______ C:\Windows\system32\svchost.exe (924)
______ C:\Windows\system32\Ati2evxx.exe (960)
______ C:\Windows\System32\svchost.exe (1036)
______ C:\Windows\System32\svchost.exe (1120)
______ C:\Windows\system32\svchost.exe (1140)
Locked audiodg.exe (1220)
______ C:\Windows\system32\svchost.exe (1248)
______ C:\Windows\system32\SLsvc.exe (1272)
______ C:\Windows\system32\svchost.exe (1364)
______ C:\Windows\system32\Ati2evxx.exe (1452)
______ C:\Windows\system32\svchost.exe (1584)
______ C:\Windows\System32\spoolsv.exe (1812)
______ C:\Windows\system32\svchost.exe (1836)
______ C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (320)
______ c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (508)
______ C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (1176)
______ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (1580)
______ C:\Program Files\McAfee\MPF\MPFSrv.exe (736)
______ c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe (1284)
______ C:\Program Files\Novatel Wireless\Novacore\Server\NvtlSrvr.exe (496)
______ C:\Windows\system32\svchost.exe (2120)
______ c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (2172)
______ C:\Program Files\IDT\WDM\STacSV.exe (2204)
______ C:\Windows\system32\svchost.exe (2252)
______ C:\Windows\System32\svchost.exe (2296)
______ C:\Windows\system32\SearchIndexer.exe (2320)
______ C:\Windows\system32\WUDFHost.exe (2452)
______ C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe (2976)
______ C:\Windows\system32\taskeng.exe (3008)
______ C:\Windows\system32\taskeng.exe (3700)
______ c:\PROGRA~1\mcafee.com\agent\mcagent.exe (3760)
______ C:\Windows\system32\Dwm.exe (3840)
______ C:\Windows\Explorer.EXE (3900)
______ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (2088)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (712)
______ C:\Windows\sttray.exe (2828)
______ C:\Windows\ehome\ehtray.exe (1916)
______ C:\Windows\ehome\ehmsas.exe (2380)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (3468)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (3920)
______ C:\Windows\system32\wbem\unsecapp.exe (1024)
______ C:\Windows\system32\wbem\wmiprvse.exe (720)
______ c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe (2660)
______ C:\Program Files\Synaptics\SynTP\SynTPHelper.exe (2532)
______ C:\Windows\system32\taskeng.exe (4576)
______ C:\Windows\system32\SearchProtocolHost.exe (6052)
______ C:\Windows\system32\SearchFilterHost.exe (6068)
______ C:\Windows\system32\SearchProtocolHost.exe (3276)
______ C:\Users\J-BIRD\Desktop\Rooter.exe (5384)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:1048576 | Length:250057064448)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\McDefragTask.job
C:\Windows\Tasks\McQcTask.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
C:\Windows\Tasks\User_Feed_Synchronization-{7B7886CB-F69B-46D3-802C-6198EA461B1C}.job
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 00:06.30
.
C:\Rooter$\Rooter_1.txt - (15/02/2010 | 00:06.30)
Last rootkit check.

Please download Stealth MBR Rootkit Detector by GMER from GMER.net, and save to your Desktop.

Double-click mbr.exe to start the program.
When done scanning, it will save a log on the Desktop called mbr.log.
Please post the contents of that log in your next reply.

Here ya go I also have a question on a service not running and I cant find it I'll sen two screenshots of it I cant find this file when I search and I have show hidden folder options on. I put it into google before I posted it here and the result was 1 this topic here.
---------------------------------------------------------------------------------------------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

[Saving space, attachment deleted by admin]Atapi.sys is a core system file that got infected by the TDSS rootkit, a very serious infection. It was disinfected by TDSSkiller.

What other Windows Service were you talking about?IT is these 3 services I dont know what they are they are stopped in my service list

SRV - File not found [On_Demand | Stopped] -- -- (URRB)
SRV - File not found [On_Demand | Stopped] -- -- (NZSCXJXN)
SRV - File not found [On_Demand | Stopped] -- -- (KEA)

this came from the first OTL Log you requested. I was just wondering if they are harmful . they are unknown services with no description of what they do. When I go to the highlighted folder destination it doesnt exist, but the service is still on the list [stopped] just wondering if I even need to worry about it, EVERYTHING SEEMS TO BE RUNNING WONDERFULLY, I can't thank you enough there should be a donate button in the forum somewhere

[Saving space, attachment deleted by admin]Didnt mean to bump, but I removed the 3 services through the registry from the services list. I don't see em anymore and I have more peace of mind. I just didnt like seeing them there To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the POP up
Select OK
Select Delete

You are now done

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

==

Please download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start
button to begin the process. Depending on how often you clean temp
files, execution time should be anywhere from a few seconds to a minute
or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

==

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the ONSCREEN instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Heres the log dude it looks good to me and I want to thank you very much for help you saved my bacon. I'm gonna keep SAS and Malbytes. Will running SAS with Mcaffe be problem I noticed it takes a little longer to boot up, but I can live with that.
-----------------------------------------------------------------------------------------------------------

Results of screen317's Security Check version 0.99.1
Windows Vista Service Pack 2 (UAC is disabled!)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
McAfee SecurityCenter
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware Free Edition
HijackThis 2.0.2
Java(TM) 6 Update 18
Java AUTO Updater
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9.3
``````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````Seems fine to me to run them.

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Solve : PAGE REDIRECT VIRUS????

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment