Apparently I have a virus in which all my programs are infected

View previous topic View next topic Go down

Apparently I have a virus in which all my programs are infected

Post by tstephens on 30th December 2009, 4:23 am

I am unable to access any programs. It keeps sending me to a website: [You must be registered and logged in to see this link.] and everything is supposedly infected: taskmgr.exe, mmc.exe, rundll32.ex, etc are infected. It keeps asking if I want to activate my antivirus software now. It also keeps opening a IE browser sending me to sites such as porno.org or viagra.com. Help please. I'm on my desktop but the infection is on my laptop.

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 30th December 2009, 6:26 am

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by tstephens on 30th December 2009, 7:05 am

Thank you for your prompt response. Unfortunately, I can not access any website from my laptop. I temporarily disabled AVG and that's as far as I got. Every page I visit reads: 'Internet Explorer Warning - visiting this website may harm your computer!' It gives me 3 options: 'Purchase for secure Internet surfing (Recommended)', 'Check your computer for viruses and malware.' and 'More Information'. All three links take me to that website I listed earlier to purchase 'Antivirus Live'.

A Windows Security alert window opens in the bottom right and says 'Application cannot be executed. The file blabhbla.exe is infected. Do you want to activate your antivirus software now?'

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 30th December 2009, 8:18 pm

Please transfer that file from another clean computer, to the infected one via Flash Drive.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by tstephens on 31st December 2009, 3:09 am

YAYYYY...I'm on my laptop now.

I had to restart the computer and start the program right away to trick the virus or else it would've shut the install down and say it's infected. Here's the log: (does it give away any incriminating evidence?...hope not). Thanks for the help.

ComboFix 09-12-29.06 - Tiffany Stephens 12/30/2009 19:31:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1202 [GMT -7:00]
Running from: c:\documents and settings\Tiffany Stephens\Desktop\commy.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
/wow section - STAGE 1

/wow section - STAGE 2

/wow section - STAGE 3

PEV Error: DesktopFile
PEV Error: DesktopFolder
PEV Error: FavFile
PEV Error: LocalAppDataFile
PEV Error: LocalAppDataFolder
PEV Error: LocalSettingsFile
PEV Error: MenuFile
PEV Error: MenuFolder
PEV Error: PersonalFile
PEV Error: ProgramsFile
PEV Error: ProgramsFolder
PEV Error: StartUpFile
PEV Error: TemplatesFile
PEV Error: TemplatesFolder
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh
c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh\ofuhsysguard.exe
c:\windows\system32\xtemp1.exe
c:\windows\system32\xtemp2.exe
c:\windows\Temp\log.txt

.
((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 02:00 . 2009-12-31 02:00 0 ----a-w- c:\documents and settings\Tiffany Stephens\Application Data\U3\01646018E142C9D1\cleanup.exe
2009-12-16 03:43 . 2009-12-16 03:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-12-16 00:32 . 2009-12-16 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-12 01:35 . 2009-12-12 01:33 2065688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-12-08 04:26 . 2009-12-08 04:27 -------- d-----w- c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\CutePDF Writer
2009-12-08 04:05 . 2009-12-31 02:16 -------- d-----w- c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\AskToolbar
2009-12-08 04:04 . 2009-12-08 04:04 -------- d-----w- c:\program files\GPLGS
2009-12-08 04:00 . 2009-11-05 15:39 87552 ----a-w- c:\windows\system32\cpwmon2k.dll
2009-12-08 03:59 . 2009-12-08 03:59 -------- d-----w- c:\program files\Acro Software
2009-12-08 03:59 . 2009-12-08 03:59 -------- d-----w- c:\program files\Ask.com
2009-12-07 03:44 . 2009-12-07 03:44 -------- d-----w- c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\Identities

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 02:39 . 2007-08-07 22:11 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-31 02:00 . 2008-11-13 01:48 -------- d-----w- c:\documents and settings\Tiffany Stephens\Application Data\U3
2009-12-28 19:39 . 2009-11-23 22:17 79488 ----a-w- c:\documents and settings\Tiffany Stephens\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-28 02:32 . 2008-03-20 02:27 -------- d-----w- c:\documents and settings\Tiffany Stephens\Application Data\LimeWire
2009-12-21 18:29 . 2008-11-06 06:58 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-12-15 04:42 . 2007-08-07 22:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-28 22:19 . 2008-11-06 06:21 -------- d-----w- c:\program files\QuickTime
2009-11-28 22:18 . 2009-11-28 22:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-11-28 22:17 . 2009-11-28 22:17 -------- d-----w- c:\program files\Common Files\Apple
2009-11-28 22:16 . 2009-11-28 22:16 -------- d-----w- c:\program files\Apple Software Update
2009-11-28 22:16 . 2009-11-28 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-10-29 07:46 . 2007-04-18 12:31 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-05 03:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-05 03:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-05 03:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-05 03:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-05 03:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-05 03:00 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-05 03:00 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-05 03:00 112128 ----a-w- c:\windows\system32\rastls.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-10-27 20:48 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-10-27 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-10-27 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-06 39408]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-06 2356088]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Preload"="c:\windows\RUNXMLPL.exe" [2007-04-21 20480]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-07 1015808]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-28 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-04-28 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-04-28 26248]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-05 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-05 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-05 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-13 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-13 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-13 138008]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2007-02-20 61440]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 68640]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 52256]
"Acer ePresentation HPD"="c:\acer\Empowering Technology\ePresentation\ePresentation.exe" [2007-03-02 208896]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2007-07-04 475136]
"Boot"="c:\acer\Empowering Technology\ePower\Boot.exe" [2006-03-16 579584]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-05-28 342528]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2007-07-11 421888]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-10-17 858632]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-12 2043160]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-10 198160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acer Empowering Technology.lnk - c:\acer\Empowering Technology\Acer.Empowering.Framework.Launcher.exe [2008-11-5 45056]
Desktop Manager.lnk - c:\program files\Research In Motion\BlackBerry\DesktopMgr.exe [2006-7-26 1114217]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 15:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/23/2008 11:17 AM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/30/2009 10:39 PM 297752]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [1/23/2008 3:50 PM 101936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-12-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-12-19 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Tiffany Stephens.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-04-28 00:08]

2009-12-31 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-10-27 20:48]

2009-12-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-02 04:18]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - [You must be registered and logged in to see this link.]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-tmeodjdd - c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh\ofuhsysguard.exe
HKLM-Run-eLockMonitor - c:\acer\Empowering Technology\eLock\Monitor\LaunchMonitor.exe
HKLM-Run-tmeodjdd - c:\documents and settings\Tiffany Stephens\Local Settings\Application Data\vmayrh\ofuhsysguard.exe



**************************************************************************
scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:72,8a,64,75,69,46,2a,b7,f7,cd,c0,05,32,ce,82,07,21,d9,d9,d7,53,
93,03,12,82,f3,9a,b8,8c,1d,57,6a,5d,cc,37,f5,a5,51,97,75,4d,38,51,cc,4a,15,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:72,8a,64,75,69,46,2a,b7,f7,cd,c0,05,32,ce,82,07,21,d9,d9,d7,53,
93,03,12,82,f3,9a,b8,8c,1d,57,6a,5d,cc,37,f5,a5,51,97,75,4d,38,51,cc,4a,15,\
.
Completion time: 2009-12-30 19:40:47
ComboFix-quarantined-files.txt 2009-12-31 02:40

Pre-Run: 16,723,918,848 bytes free
Post-Run: 17,561,100,288 bytes free

- - End Of File - - 07178CF989168C5DDC59130A5E5D63EA

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 31st December 2009, 3:22 am

Please download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by tstephens on 31st December 2009, 3:35 pm

I've tried to do the scan several times. It stops at a file \Device\000000d2. A window appeared once and says: 'gmer.exe has encountered a problem and needs to close.' and it gives me the options to 'Send Error Report' and 'Don't Send'. The other times the scan window would close and freeze up my computer and so I would have to restart. Thanks for your help.

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 31st December 2009, 9:26 pm

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code:
@echo off
Copy /y gmer.exe ark.exe
Start ark.exe

Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by tstephens on 25th January 2010, 5:18 am

I have tried to do this scan about 15+ times and everytime I return to my computer, it restarts and, sometimes, I get an error message to 'Send Error Report'. Please help, very frustrated, sorry it took so long but would really like to get everything resolved before moving forward. Thank you for everything.

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 25th January 2010, 4:49 pm

Let's try something different.

Please download RootRepeal from [You must be registered and logged in to see this link.].

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by tstephens on 27th January 2010, 4:44 am

Thank you for your help.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/01/26 20:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA7999000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA638000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5F44000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "" at address 0x8a5c7190

#: 013 Function Name: NtAlertThread
Status: Hooked by "" at address 0x8a5ae190

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "" at address 0x8a4b9218

#: 031 Function Name: NtConnectPort
Status: Hooked by "" at address 0x8a5822b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdd020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "" at address 0x8a4a6080

#: 053 Function Name: NtCreateThread
Status: Hooked by "" at address 0x8a52cda8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdd2a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdd800

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "" at address 0x8a41b6c0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "" at address 0x8a5a6190

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "" at address 0x8a5ab190

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "" at address 0x8a68b998

#: 114 Function Name: NtOpenEvent
Status: Hooked by "" at address 0x8a5a2190

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "" at address 0x8a423360

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "" at address 0x8a5ac260

#: 206 Function Name: NtResumeThread
Status: Hooked by "" at address 0x8a4e7170

#: 213 Function Name: NtSetContextThread
Status: Hooked by "" at address 0x8a6ff368

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "" at address 0x8a5ac2f0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "" at address 0x8a5aef30

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa7cdda50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "" at address 0x8a5ca530

#: 254 Function Name: NtSuspendThread
Status: Hooked by "" at address 0x8a5ae158

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "" at address 0x8a5cc178

#: 258 Function Name: NtTerminateThread
Status: Hooked by "" at address 0x8a5d2148

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "" at address 0x8a583180

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "" at address 0x8a4577f0

==EOF==

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 27th January 2010, 5:40 am

Download this [You must be registered and logged in to see this link.] & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller

=====

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Code:
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by tstephens on 27th January 2010, 6:11 am

Here you go....

23:06:09:078 5888 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
23:06:09:078 5888 ================================================================================
23:06:09:078 5888 SystemInfo:

23:06:09:078 5888 OS Version: 5.1.2600 ServicePack: 2.0
23:06:09:078 5888 Product type: Workstation
23:06:09:078 5888 ComputerName: ACER-47CBE8A5ED
23:06:09:078 5888 UserName: *My Name*
23:06:09:078 5888 Windows directory: C:\WINDOWS
23:06:09:078 5888 Processor architecture: Intel x86
23:06:09:078 5888 Number of processors: 2
23:06:09:078 5888 Page size: 0x1000
23:06:09:078 5888 Boot type: Normal boot
23:06:09:078 5888 ================================================================================
23:06:09:093 5888 UnloadDriverW: NtUnloadDriver error 2
23:06:09:093 5888 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:06:09:093 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
23:06:09:109 5888 UtilityInit: KLMD drop and load success
23:06:09:109 5888 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
23:06:09:109 5888 UtilityInit: KLMD open success
23:06:09:109 5888 UtilityInit: Initialize success
23:06:09:109 5888
23:06:09:109 5888 Scanning Services ...
23:06:09:109 5888 CreateRegParser: Registry parser init started
23:06:09:109 5888 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
23:06:09:109 5888 CreateRegParser: DisableWow64Redirection error
23:06:09:109 5888 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:06:09:109 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
23:06:09:109 5888 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:06:09:109 5888 wfopen_ex: Trying to KLMD file open
23:06:09:109 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
23:06:09:109 5888 wfopen_ex: File opened ok (Flags 2)
23:06:09:109 5888 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: AD4A08
23:06:09:109 5888 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:06:09:109 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
23:06:09:109 5888 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:06:09:109 5888 wfopen_ex: Trying to KLMD file open
23:06:09:109 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
23:06:09:109 5888 wfopen_ex: File opened ok (Flags 2)
23:06:09:109 5888 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: AD4AB0
23:06:09:109 5888 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
23:06:09:109 5888 CreateRegParser: EnableWow64Redirection error
23:06:09:109 5888 CreateRegParser: RegParser init completed
23:06:09:546 5888 GetAdvancedServicesInfo: Raw services enum returned 397 services
23:06:09:546 5888 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:06:09:546 5888 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:06:09:546 5888
23:06:09:546 5888 Scanning Kernel memory ...
23:06:09:546 5888 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
23:06:09:546 5888 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A715A60
23:06:09:546 5888 DetectCureTDL3: KLMD_GetDeviceObjectList returned 5 DevObjects
23:06:09:546 5888
23:06:09:546 5888 DetectCureTDL3: DEVICE_OBJECT: 88D11030
23:06:09:546 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 88D11030
23:06:09:546 5888 KLMD_ReadMem: Trying to ReadMemory 0x88D11030[0x38]
23:06:09:546 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:546 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:546 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:546 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:546 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:546 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:546 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:546 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:546 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:546 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:546 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:546 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:546 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:546 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:546 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:546 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:546 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:546 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:546 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:562 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:562 5888
23:06:09:562 5888 DetectCureTDL3: DEVICE_OBJECT: 8A6BFC68
23:06:09:562 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6BFC68
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A6BFC68[0x38]
23:06:09:562 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:562 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:562 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:562 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:562 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:562 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:562 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:562 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:562 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:562 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:562 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:562 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:562 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:562 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:562 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:562 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:562 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:562 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:562 5888
23:06:09:562 5888 DetectCureTDL3: DEVICE_OBJECT: 8A714C68
23:06:09:562 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A714C68
23:06:09:562 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A714C68[0x38]
23:06:09:562 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:578 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:578 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:578 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:578 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:578 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:578 5888
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A712C68
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A712C68
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A712C68[0x38]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT: 8A715A60
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A715A60[0xA8]
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xE1013E20[0x18]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
23:06:09:578 5888 DetectCureTDL3: IrpHandler (0) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (2) addr: BA18EC30
23:06:09:578 5888 DetectCureTDL3: IrpHandler (3) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (4) addr: BA188D9B
23:06:09:578 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (9) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (14) addr: BA18944D
23:06:09:578 5888 DetectCureTDL3: IrpHandler (15) addr: BA18CFC3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (16) addr: BA189366
23:06:09:578 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (22) addr: BA18AEF3
23:06:09:578 5888 DetectCureTDL3: IrpHandler (23) addr: BA18FA24
23:06:09:578 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:578 5888 TDL3_FileDetect: Processing driver: Disk
23:06:09:578 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
23:06:09:578 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
23:06:09:578 5888
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A70EAB8
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A70EAB8
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A6F6030
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6F6030
23:06:09:578 5888 DetectCureTDL3: DEVICE_OBJECT: 8A6D3940
23:06:09:578 5888 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6D3940
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A6D3940[0x38]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT: 8A6F5528
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0x8A6F5528[0xA8]
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xE17768C8[0x1A]
23:06:09:578 5888 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
23:06:09:578 5888 DetectCureTDL3: IrpHandler (0) addr: B9E18572
23:06:09:578 5888 DetectCureTDL3: IrpHandler (1) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (2) addr: B9E18572
23:06:09:578 5888 DetectCureTDL3: IrpHandler (3) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (4) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (5) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (6) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (7) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (8) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (9) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (10) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (11) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (12) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (13) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (14) addr: B9E18592
23:06:09:578 5888 DetectCureTDL3: IrpHandler (15) addr: B9E147B4
23:06:09:578 5888 DetectCureTDL3: IrpHandler (16) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (17) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (18) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (19) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (20) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (21) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (22) addr: B9E185BC
23:06:09:578 5888 DetectCureTDL3: IrpHandler (23) addr: B9E1F164
23:06:09:578 5888 DetectCureTDL3: IrpHandler (24) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (25) addr: 804F4544
23:06:09:578 5888 DetectCureTDL3: IrpHandler (26) addr: 804F4544
23:06:09:578 5888 KLMD_ReadMem: Trying to ReadMemory 0xB9E157C6[0x400]
23:06:09:578 5888 TDL3_StartIoHookDetect: CheckParameters: 0, 00000000, 0
23:06:09:578 5888 TDL3_FileDetect: Processing driver: atapi
23:06:09:578 5888 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
23:06:09:578 5888 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
23:06:09:578 5888 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
23:06:09:578 5888
23:06:09:578 5888 Completed
23:06:09:578 5888
23:06:09:578 5888 Results:
23:06:09:578 5888 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
23:06:09:578 5888 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:06:09:593 5888 File objects infected / cured / cured on reboot: 0 / 0 / 0
23:06:09:593 5888
23:06:09:593 5888 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
23:06:09:593 5888 UtilityDeinit: KLMD(ARK) unloaded successfully

tstephens
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-12-29
Gender Gender : Female
OS OS : Windows XP
Points Points : 25479
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Apparently I have a virus in which all my programs are infected

Post by Dr Jay on 27th January 2010, 11:47 am


  1. Download Win32kDiag from any of the following locations and save it to your Desktop.

  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


  • Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14309
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302960
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    Re: Apparently I have a virus in which all my programs are infected

    Post by tstephens on 28th January 2010, 5:10 am

    Running from: C:\Documents and Settings\Tiffany Stephens\Desktop\Win32kDiag.exe

    Log file at : C:\Documents and Settings\Tiffany Stephens\Desktop\Win32kDiag.txt

    WARNING: Could not get backup privileges!

    Searching 'C:\WINDOWS'...

    Finished!

    tstephens
    Novice
    Novice

    Posts Posts : 9
    Joined Joined : 2009-12-29
    Gender Gender : Female
    OS OS : Windows XP
    Points Points : 25479
    # Likes # Likes : 0

    View user profile

    Back to top Go down

    Re: Apparently I have a virus in which all my programs are infected

    Post by Dr Jay on 28th January 2010, 4:36 pm

    Please download [You must be registered and logged in to see this link.], and save to your Desktop.
    • Double-click on vtool.zip, and extract the file to your Desktop.
    • Double-click on vtool.cmd to start.
    • !! IMPORTANT !!::: At each prompt ("Press any key to continue..."), wait 10 seconds before pressing a key. This tool needs time to process each prompt.
    • It will finish eventually and launch a log. Do NOT exit the tool. Allow it to finish. (vtool.txt)
    • Post the contents of it in your next reply.


    Dr. Jay (DJ)


    [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

    Dr Jay
    Head Administrator
    Head Administrator

    Posts Posts : 14309
    Joined Joined : 2009-09-06
    Gender Gender : Male
    OS OS : Windows 10 Home & Pro
    Arch. Arch. : x64 (64-bit)
    Protection Protection : Bitdefender Total Security
    Points Points : 302960
    # Likes # Likes : 10

    View user profile

    Back to top Go down

    View previous topic View next topic Back to top

    - Similar topics

     
    Permissions in this forum:
    You cannot reply to topics in this forum