Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Google search redirects! Malwarebytes didn't fix it

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Re: Google search redirects! Malwarebytes didn't fix it

Unread postby Ultimate86 » May 5th, 2010, 8:35 am

OK so I ran TDSS twice. The first time it said that it detected a rootkit - Atapi.sys - and asked me to click "Y" to reboot. I did so and re-ran TDSS and found that there was no more evidence of Atapi.sys in the second scan. Here are the logs from both times I ran the program.

FIRST TIME

05:24:01:644 3376 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
05:24:01:644 3376 ================================================================================
05:24:01:644 3376 SystemInfo:

05:24:01:644 3376 OS Version: 5.1.2600 ServicePack: 3.0
05:24:01:644 3376 Product type: Workstation
05:24:01:644 3376 ComputerName: ALEX
05:24:01:644 3376 UserName: The_Club
05:24:01:644 3376 Windows directory: C:\WINDOWS
05:24:01:644 3376 Processor architecture: Intel x86
05:24:01:644 3376 Number of processors: 1
05:24:01:644 3376 Page size: 0x1000
05:24:01:644 3376 Boot type: Normal boot
05:24:01:644 3376 ================================================================================
05:24:01:660 3376 UnloadDriverW: NtUnloadDriver error 2
05:24:01:660 3376 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
05:24:01:738 3376 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
05:24:01:738 3376 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
05:24:01:738 3376 wfopen_ex: Trying to KLMD file open
05:24:01:738 3376 wfopen_ex: File opened ok (Flags 2)
05:24:01:738 3376 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
05:24:01:738 3376 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
05:24:01:738 3376 wfopen_ex: Trying to KLMD file open
05:24:01:738 3376 wfopen_ex: File opened ok (Flags 2)
05:24:01:738 3376 Initialize success
05:24:01:738 3376
05:24:01:738 3376 Scanning Services ...
05:24:02:363 3376 Raw services enum returned 369 services
05:24:02:379 3376
05:24:02:379 3376 Scanning Kernel memory ...
05:24:02:379 3376 Devices to scan: 4
05:24:02:379 3376
05:24:02:379 3376 Driver Name: Disk
05:24:02:379 3376 IRP_MJ_CREATE : F76A1BB0
05:24:02:379 3376 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:24:02:379 3376 IRP_MJ_CLOSE : F76A1BB0
05:24:02:379 3376 IRP_MJ_READ : F769BD1F
05:24:02:379 3376 IRP_MJ_WRITE : F769BD1F
05:24:02:379 3376 IRP_MJ_QUERY_INFORMATION : 804F355A
05:24:02:379 3376 IRP_MJ_SET_INFORMATION : 804F355A
05:24:02:379 3376 IRP_MJ_QUERY_EA : 804F355A
05:24:02:379 3376 IRP_MJ_SET_EA : 804F355A
05:24:02:379 3376 IRP_MJ_FLUSH_BUFFERS : F769C2E2
05:24:02:379 3376 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:24:02:379 3376 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:24:02:379 3376 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:24:02:379 3376 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:24:02:379 3376 IRP_MJ_DEVICE_CONTROL : F769C3BB
05:24:02:379 3376 IRP_MJ_INTERNAL_DEVICE_CONTROL : F769FF28
05:24:02:379 3376 IRP_MJ_SHUTDOWN : F769C2E2
05:24:02:379 3376 IRP_MJ_LOCK_CONTROL : 804F355A
05:24:02:379 3376 IRP_MJ_CLEANUP : 804F355A
05:24:02:379 3376 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:24:02:379 3376 IRP_MJ_QUERY_SECURITY : 804F355A
05:24:02:379 3376 IRP_MJ_SET_SECURITY : 804F355A
05:24:02:379 3376 IRP_MJ_POWER : F769DC82
05:24:02:379 3376 IRP_MJ_SYSTEM_CONTROL : F76A299E
05:24:02:379 3376 IRP_MJ_DEVICE_CHANGE : 804F355A
05:24:02:379 3376 IRP_MJ_QUERY_QUOTA : 804F355A
05:24:02:379 3376 IRP_MJ_SET_QUOTA : 804F355A
05:24:02:394 3376 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
05:24:02:394 3376
05:24:02:394 3376 Driver Name: Disk
05:24:02:394 3376 IRP_MJ_CREATE : F76A1BB0
05:24:02:394 3376 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:24:02:394 3376 IRP_MJ_CLOSE : F76A1BB0
05:24:02:394 3376 IRP_MJ_READ : F769BD1F
05:24:02:394 3376 IRP_MJ_WRITE : F769BD1F
05:24:02:394 3376 IRP_MJ_QUERY_INFORMATION : 804F355A
05:24:02:394 3376 IRP_MJ_SET_INFORMATION : 804F355A
05:24:02:394 3376 IRP_MJ_QUERY_EA : 804F355A
05:24:02:394 3376 IRP_MJ_SET_EA : 804F355A
05:24:02:394 3376 IRP_MJ_FLUSH_BUFFERS : F769C2E2
05:24:02:394 3376 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:24:02:394 3376 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:24:02:394 3376 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:24:02:394 3376 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:24:02:394 3376 IRP_MJ_DEVICE_CONTROL : F769C3BB
05:24:02:394 3376 IRP_MJ_INTERNAL_DEVICE_CONTROL : F769FF28
05:24:02:394 3376 IRP_MJ_SHUTDOWN : F769C2E2
05:24:02:394 3376 IRP_MJ_LOCK_CONTROL : 804F355A
05:24:02:394 3376 IRP_MJ_CLEANUP : 804F355A
05:24:02:394 3376 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:24:02:394 3376 IRP_MJ_QUERY_SECURITY : 804F355A
05:24:02:394 3376 IRP_MJ_SET_SECURITY : 804F355A
05:24:02:394 3376 IRP_MJ_POWER : F769DC82
05:24:02:410 3376 IRP_MJ_SYSTEM_CONTROL : F76A299E
05:24:02:410 3376 IRP_MJ_DEVICE_CHANGE : 804F355A
05:24:02:410 3376 IRP_MJ_QUERY_QUOTA : 804F355A
05:24:02:410 3376 IRP_MJ_SET_QUOTA : 804F355A
05:24:02:410 3376 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
05:24:02:410 3376
05:24:02:410 3376 Driver Name: Disk
05:24:02:410 3376 IRP_MJ_CREATE : F76A1BB0
05:24:02:410 3376 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:24:02:410 3376 IRP_MJ_CLOSE : F76A1BB0
05:24:02:410 3376 IRP_MJ_READ : F769BD1F
05:24:02:410 3376 IRP_MJ_WRITE : F769BD1F
05:24:02:410 3376 IRP_MJ_QUERY_INFORMATION : 804F355A
05:24:02:410 3376 IRP_MJ_SET_INFORMATION : 804F355A
05:24:02:410 3376 IRP_MJ_QUERY_EA : 804F355A
05:24:02:410 3376 IRP_MJ_SET_EA : 804F355A
05:24:02:410 3376 IRP_MJ_FLUSH_BUFFERS : F769C2E2
05:24:02:410 3376 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:24:02:410 3376 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:24:02:410 3376 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:24:02:410 3376 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:24:02:410 3376 IRP_MJ_DEVICE_CONTROL : F769C3BB
05:24:02:410 3376 IRP_MJ_INTERNAL_DEVICE_CONTROL : F769FF28
05:24:02:410 3376 IRP_MJ_SHUTDOWN : F769C2E2
05:24:02:410 3376 IRP_MJ_LOCK_CONTROL : 804F355A
05:24:02:410 3376 IRP_MJ_CLEANUP : 804F355A
05:24:02:410 3376 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:24:02:410 3376 IRP_MJ_QUERY_SECURITY : 804F355A
05:24:02:410 3376 IRP_MJ_SET_SECURITY : 804F355A
05:24:02:410 3376 IRP_MJ_POWER : F769DC82
05:24:02:410 3376 IRP_MJ_SYSTEM_CONTROL : F76A299E
05:24:02:410 3376 IRP_MJ_DEVICE_CHANGE : 804F355A
05:24:02:410 3376 IRP_MJ_QUERY_QUOTA : 804F355A
05:24:02:410 3376 IRP_MJ_SET_QUOTA : 804F355A
05:24:02:410 3376 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
05:24:02:410 3376
05:24:02:410 3376 Driver Name: atapi
05:24:02:410 3376 IRP_MJ_CREATE : F74A9B3A
05:24:02:410 3376 IRP_MJ_CREATE_NAMED_PIPE : F74A9B3A
05:24:02:410 3376 IRP_MJ_CLOSE : F74A9B3A
05:24:02:410 3376 IRP_MJ_READ : F74A9B3A
05:24:02:410 3376 IRP_MJ_WRITE : F74A9B3A
05:24:02:410 3376 IRP_MJ_QUERY_INFORMATION : F74A9B3A
05:24:02:410 3376 IRP_MJ_SET_INFORMATION : F74A9B3A
05:24:02:410 3376 IRP_MJ_QUERY_EA : F74A9B3A
05:24:02:410 3376 IRP_MJ_SET_EA : F74A9B3A
05:24:02:410 3376 IRP_MJ_FLUSH_BUFFERS : F74A9B3A
05:24:02:410 3376 IRP_MJ_QUERY_VOLUME_INFORMATION : F74A9B3A
05:24:02:410 3376 IRP_MJ_SET_VOLUME_INFORMATION : F74A9B3A
05:24:02:410 3376 IRP_MJ_DIRECTORY_CONTROL : F74A9B3A
05:24:02:410 3376 IRP_MJ_FILE_SYSTEM_CONTROL : F74A9B3A
05:24:02:410 3376 IRP_MJ_DEVICE_CONTROL : F74A9B3A
05:24:02:410 3376 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74A9B3A
05:24:02:410 3376 IRP_MJ_SHUTDOWN : F74A9B3A
05:24:02:410 3376 IRP_MJ_LOCK_CONTROL : F74A9B3A
05:24:02:410 3376 IRP_MJ_CLEANUP : F74A9B3A
05:24:02:410 3376 IRP_MJ_CREATE_MAILSLOT : F74A9B3A
05:24:02:410 3376 IRP_MJ_QUERY_SECURITY : F74A9B3A
05:24:02:410 3376 IRP_MJ_SET_SECURITY : F74A9B3A
05:24:02:410 3376 IRP_MJ_POWER : F74A9B3A
05:24:02:410 3376 IRP_MJ_SYSTEM_CONTROL : F74A9B3A
05:24:02:410 3376 IRP_MJ_DEVICE_CHANGE : F74A9B3A
05:24:02:410 3376 IRP_MJ_QUERY_QUOTA : F74A9B3A
05:24:02:410 3376 IRP_MJ_SET_QUOTA : F74A9B3A
05:24:02:410 3376 Driver "atapi" infected by TDSS rootkit!
05:24:02:441 3376 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
05:24:02:441 3376 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 05:24:02:441 3376 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
05:24:02:441 3376 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
05:24:02:723 3376 vfvi6
05:24:02:863 3376 !dsvbh1
05:24:05:598 3376 dsvbh2
05:24:05:660 3376 fdfb2
05:24:05:660 3376 Backup copy found, using it..
05:24:05:723 3376 will be cured on next reboot
05:24:05:723 3376 Reboot required for cure complete..
05:24:05:723 3376 Cure on reboot scheduled successfully
05:24:05:723 3376
05:24:05:723 3376 Completed
05:24:05:723 3376
05:24:05:723 3376 Results:
05:24:05:723 3376 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
05:24:05:723 3376 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
05:24:05:723 3376 File objects infected / cured / cured on reboot: 1 / 0 / 1
05:24:05:723 3376
05:24:05:723 3376 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
05:24:05:723 3376 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
05:24:05:723 3376 UnloadDriverW: NtUnloadDriver error 1
05:24:05:723 3376 KLMD(ARK) unloaded successfully



SECOND TIME

05:27:09:671 3112 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
05:27:09:671 3112 ================================================================================
05:27:09:671 3112 SystemInfo:

05:27:09:671 3112 OS Version: 5.1.2600 ServicePack: 3.0
05:27:09:671 3112 Product type: Workstation
05:27:09:671 3112 ComputerName: ALEX
05:27:09:671 3112 UserName: The_Club
05:27:09:671 3112 Windows directory: C:\WINDOWS
05:27:09:671 3112 Processor architecture: Intel x86
05:27:09:671 3112 Number of processors: 1
05:27:09:671 3112 Page size: 0x1000
05:27:09:687 3112 Boot type: Normal boot
05:27:09:687 3112 ================================================================================
05:27:11:312 3112 UnloadDriverW: NtUnloadDriver error 2
05:27:11:312 3112 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
05:27:11:640 3112 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
05:27:11:640 3112 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
05:27:11:640 3112 wfopen_ex: Trying to KLMD file open
05:27:11:640 3112 wfopen_ex: File opened ok (Flags 2)
05:27:11:656 3112 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
05:27:11:656 3112 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
05:27:11:656 3112 wfopen_ex: Trying to KLMD file open
05:27:11:656 3112 wfopen_ex: File opened ok (Flags 2)
05:27:11:656 3112 Initialize success
05:27:11:656 3112
05:27:11:687 3112 Scanning Services ...
05:27:19:609 3112 Raw services enum returned 369 services
05:27:19:843 3112
05:27:19:843 3112 Scanning Kernel memory ...
05:27:19:843 3112 Devices to scan: 4
05:27:19:843 3112
05:27:19:843 3112 Driver Name: Disk
05:27:19:843 3112 IRP_MJ_CREATE : F76A1BB0
05:27:19:843 3112 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:27:19:843 3112 IRP_MJ_CLOSE : F76A1BB0
05:27:19:843 3112 IRP_MJ_READ : F769BD1F
05:27:19:843 3112 IRP_MJ_WRITE : F769BD1F
05:27:19:843 3112 IRP_MJ_QUERY_INFORMATION : 804F355A
05:27:19:843 3112 IRP_MJ_SET_INFORMATION : 804F355A
05:27:19:843 3112 IRP_MJ_QUERY_EA : 804F355A
05:27:19:843 3112 IRP_MJ_SET_EA : 804F355A
05:27:19:843 3112 IRP_MJ_FLUSH_BUFFERS : F769C2E2
05:27:19:843 3112 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:27:19:843 3112 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:27:19:843 3112 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:27:19:843 3112 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:27:19:843 3112 IRP_MJ_DEVICE_CONTROL : F769C3BB
05:27:19:843 3112 IRP_MJ_INTERNAL_DEVICE_CONTROL : F769FF28
05:27:19:843 3112 IRP_MJ_SHUTDOWN : F769C2E2
05:27:19:843 3112 IRP_MJ_LOCK_CONTROL : 804F355A
05:27:19:843 3112 IRP_MJ_CLEANUP : 804F355A
05:27:19:843 3112 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:27:19:843 3112 IRP_MJ_QUERY_SECURITY : 804F355A
05:27:19:843 3112 IRP_MJ_SET_SECURITY : 804F355A
05:27:19:843 3112 IRP_MJ_POWER : F769DC82
05:27:19:843 3112 IRP_MJ_SYSTEM_CONTROL : F76A299E
05:27:19:843 3112 IRP_MJ_DEVICE_CHANGE : 804F355A
05:27:19:843 3112 IRP_MJ_QUERY_QUOTA : 804F355A
05:27:19:843 3112 IRP_MJ_SET_QUOTA : 804F355A
05:27:19:953 3112 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
05:27:19:953 3112
05:27:19:953 3112 Driver Name: Disk
05:27:19:953 3112 IRP_MJ_CREATE : F76A1BB0
05:27:19:953 3112 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:27:19:953 3112 IRP_MJ_CLOSE : F76A1BB0
05:27:19:953 3112 IRP_MJ_READ : F769BD1F
05:27:19:953 3112 IRP_MJ_WRITE : F769BD1F
05:27:19:953 3112 IRP_MJ_QUERY_INFORMATION : 804F355A
05:27:19:953 3112 IRP_MJ_SET_INFORMATION : 804F355A
05:27:19:953 3112 IRP_MJ_QUERY_EA : 804F355A
05:27:19:953 3112 IRP_MJ_SET_EA : 804F355A
05:27:19:953 3112 IRP_MJ_FLUSH_BUFFERS : F769C2E2
05:27:19:953 3112 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:27:19:953 3112 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:27:19:953 3112 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:27:19:953 3112 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:27:19:953 3112 IRP_MJ_DEVICE_CONTROL : F769C3BB
05:27:19:953 3112 IRP_MJ_INTERNAL_DEVICE_CONTROL : F769FF28
05:27:19:953 3112 IRP_MJ_SHUTDOWN : F769C2E2
05:27:19:953 3112 IRP_MJ_LOCK_CONTROL : 804F355A
05:27:19:953 3112 IRP_MJ_CLEANUP : 804F355A
05:27:19:953 3112 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:27:19:953 3112 IRP_MJ_QUERY_SECURITY : 804F355A
05:27:19:953 3112 IRP_MJ_SET_SECURITY : 804F355A
05:27:19:953 3112 IRP_MJ_POWER : F769DC82
05:27:19:953 3112 IRP_MJ_SYSTEM_CONTROL : F76A299E
05:27:19:953 3112 IRP_MJ_DEVICE_CHANGE : 804F355A
05:27:19:953 3112 IRP_MJ_QUERY_QUOTA : 804F355A
05:27:19:953 3112 IRP_MJ_SET_QUOTA : 804F355A
05:27:19:968 3112 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
05:27:19:968 3112
05:27:19:968 3112 Driver Name: Disk
05:27:19:968 3112 IRP_MJ_CREATE : F76A1BB0
05:27:19:968 3112 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:27:19:968 3112 IRP_MJ_CLOSE : F76A1BB0
05:27:19:968 3112 IRP_MJ_READ : F769BD1F
05:27:19:968 3112 IRP_MJ_WRITE : F769BD1F
05:27:19:984 3112 IRP_MJ_QUERY_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_SET_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_EA : 804F355A
05:27:19:984 3112 IRP_MJ_SET_EA : 804F355A
05:27:19:984 3112 IRP_MJ_FLUSH_BUFFERS : F769C2E2
05:27:19:984 3112 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:27:19:984 3112 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:27:19:984 3112 IRP_MJ_DEVICE_CONTROL : F769C3BB
05:27:19:984 3112 IRP_MJ_INTERNAL_DEVICE_CONTROL : F769FF28
05:27:19:984 3112 IRP_MJ_SHUTDOWN : F769C2E2
05:27:19:984 3112 IRP_MJ_LOCK_CONTROL : 804F355A
05:27:19:984 3112 IRP_MJ_CLEANUP : 804F355A
05:27:19:984 3112 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_SECURITY : 804F355A
05:27:19:984 3112 IRP_MJ_SET_SECURITY : 804F355A
05:27:19:984 3112 IRP_MJ_POWER : F769DC82
05:27:19:984 3112 IRP_MJ_SYSTEM_CONTROL : F76A299E
05:27:19:984 3112 IRP_MJ_DEVICE_CHANGE : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_QUOTA : 804F355A
05:27:19:984 3112 IRP_MJ_SET_QUOTA : 804F355A
05:27:19:984 3112 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
05:27:19:984 3112
05:27:19:984 3112 Driver Name: atapi
05:27:19:984 3112 IRP_MJ_CREATE : F74AA6F2
05:27:19:984 3112 IRP_MJ_CREATE_NAMED_PIPE : 804F355A
05:27:19:984 3112 IRP_MJ_CLOSE : F74AA6F2
05:27:19:984 3112 IRP_MJ_READ : 804F355A
05:27:19:984 3112 IRP_MJ_WRITE : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_SET_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_EA : 804F355A
05:27:19:984 3112 IRP_MJ_SET_EA : 804F355A
05:27:19:984 3112 IRP_MJ_FLUSH_BUFFERS : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_SET_VOLUME_INFORMATION : 804F355A
05:27:19:984 3112 IRP_MJ_DIRECTORY_CONTROL : 804F355A
05:27:19:984 3112 IRP_MJ_FILE_SYSTEM_CONTROL : 804F355A
05:27:19:984 3112 IRP_MJ_DEVICE_CONTROL : F74AA712
05:27:19:984 3112 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74A6852
05:27:19:984 3112 IRP_MJ_SHUTDOWN : 804F355A
05:27:19:984 3112 IRP_MJ_LOCK_CONTROL : 804F355A
05:27:19:984 3112 IRP_MJ_CLEANUP : 804F355A
05:27:19:984 3112 IRP_MJ_CREATE_MAILSLOT : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_SECURITY : 804F355A
05:27:19:984 3112 IRP_MJ_SET_SECURITY : 804F355A
05:27:19:984 3112 IRP_MJ_POWER : F74AA73C
05:27:19:984 3112 IRP_MJ_SYSTEM_CONTROL : F74B1336
05:27:19:984 3112 IRP_MJ_DEVICE_CHANGE : 804F355A
05:27:19:984 3112 IRP_MJ_QUERY_QUOTA : 804F355A
05:27:19:984 3112 IRP_MJ_SET_QUOTA : 804F355A
05:27:20:031 3112 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
05:27:20:031 3112
05:27:20:046 3112 Completed
05:27:20:046 3112
05:27:20:046 3112 Results:
05:27:20:046 3112 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
05:27:20:046 3112 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
05:27:20:046 3112 File objects infected / cured / cured on reboot: 0 / 0 / 0
05:27:20:046 3112
05:27:20:046 3112 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
05:27:20:046 3112 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
05:27:20:046 3112 KLMD(ARK) unloaded successfully
Ultimate86
Active Member
 
Posts: 13
Joined: April 26th, 2010, 4:22 am
Top
Advertisement
Register to Remove

Re: Google search redirects! Malwarebytes didn't fix it

Unread postby Blade81 » May 5th, 2010, 11:19 am

Hi,

Does it still redirect the results?
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Top

Re: Google search redirects! Malwarebytes didn't fix it

Unread postby Ultimate86 » May 6th, 2010, 7:18 am

It looks like a success! No more redirecting issues!
Ultimate86
Active Member
 
Posts: 13
Joined: April 26th, 2010, 4:22 am
Top

Re: Google search redirects! Malwarebytes didn't fix it

Unread postby Blade81 » May 6th, 2010, 10:37 am

Good. Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok
  • Run Secunia vulnerability check here and fix its findings.
  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
    Antivir
    Avast!
    Good commercial ones are from:
    Kaspersky and
    ESET
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade 8)
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Top

Re: Google search redirects! Malwarebytes didn't fix it

Unread postby Ultimate86 » May 7th, 2010, 5:00 pm

Awesome, thank you! I've done it all and will look into those 3rd party programs. You have saved the day, Blade! :bounce:
Ultimate86
Active Member
 
Posts: 13
Joined: April 26th, 2010, 4:22 am
Top

Re: Google search redirects! Malwarebytes didn't fix it

Unread postby Blade81 » May 7th, 2010, 5:44 pm

Since the issue seems to be resolved this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Blade81
Admin/Teacher
Admin/Teacher
 
Posts: 5245
Joined: July 17th, 2006, 3:36 am
Location: Finland
Top
Advertisement
Register to Remove
Previous
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 135 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index