BleepingComputer.com: Browser redirect virus - Help Please!

Hi

Apologies if this is on the wrong forum but I'm a newbie here.

My daughter's laptop appears to have been infected by a trojan recently. I used Malawarebytes and it found the trojan (called Trojan.FakeAlert) and quarantined it which I then deleted, or so I thought. Ever since then whenever I use a search engine on any browser it gets redirected to a random site. I also cannot get sound to work from within browsers, although the sound from games, etc., is fine. On advice from a friend I have downloaded Combofix but I haven't run it because I know that it needs expert help to run and delete the right things.

Samsung Dual core T4400
Windows 7 Home Premium 32bit SP1
Running Avira Free
Malawarebytes Free

Is there anyone who can help me please?

Thanks in advance

Andrew

This post has been edited by acra24: 04 July 2011 - 11:16 AM

Welcome aboard

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Hi

Thanks for the quick response. I will get on this tomorrow after work and let you know what happens.

Regards

Andrew

You're very welcome

Hi

I have run the files as asked, here are the logs;

___________________________________________________
Results of screen317's Security Check version 0.99.7
Windows 7 Service Pack 1 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Adobe Flash Player
Adobe Reader 9.1
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-GB..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

___________________________________________________
MiniToolBox by Farbar
Ran by Alicia Elouise Rose (administrator) on 05-07-2011 at 16:53:17
Windows 7 Home Premium Service Pack 1 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

reset
set global


popd
# End of IPv4 configuration



Windows IP Configuration

Host Name . . . . . . . . . . . . : Alicia
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Atheros AR9285 Wireless Network Adapter
Physical Address. . . . . . . . . : F0-7B-CB-6D-25-82
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::a14c:bfb8:d07e:7b4c%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 05 July 2011 16:40:15
Lease Expires . . . . . . . . . . : 05 July 2011 17:40:15
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 317750219
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-12-AC-6E-3E-00-24-54-3A-C5-07
DNS Servers . . . . . . . . . . . : 194.168.4.100
194.168.8.100
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Marvell Yukon 88E8040 Family PCI-E Fast Ethernet Controller
Physical Address. . . . . . . . . : 00-24-54-2A-4C-48
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:79fb:8cc:3314:a150:838d(Preferred)
Link-local IPv6 Address . . . . . : fe80::8cc:3314:a150:838d%12(Preferred)
Default Gateway . . . . . . . . . : ::
NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{975BC963-2793-4FB5-8312-441187C59409}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: google.com
Addresses: 209.85.146.105
209.85.146.106
209.85.146.103
209.85.146.147
209.85.146.104
209.85.146.99


Pinging google.com [209.85.146.103] with 32 bytes of data:
Reply from 209.85.146.103: bytes=32 time=26ms TTL=52
Reply from 209.85.146.103: bytes=32 time=29ms TTL=52

Ping statistics for 209.85.146.103:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 26ms, Maximum = 29ms, Average = 27ms
Server: cache1.service.virginmedia.net
Address: 194.168.4.100

Name: yahoo.com
Addresses: 98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43


Pinging yahoo.com [209.191.122.70] with 32 bytes of data:
Reply from 209.191.122.70: bytes=32 time=188ms TTL=50
Reply from 209.191.122.70: bytes=32 time=189ms TTL=50

Ping statistics for 209.191.122.70:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 188ms, Maximum = 189ms, Average = 188ms

Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Ping statistics for 127.0.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
11...f0 7b cb 6d 25 82 ......Atheros AR9285 Wireless Network Adapter
10...00 24 54 2a 4c 48 ......Marvell Yukon 88E8040 Family PCI-E Fast Ethernet Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.3 25
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.3 281
192.168.0.3 255.255.255.255 On-link 192.168.0.3 281
192.168.0.255 255.255.255.255 On-link 192.168.0.3 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.3 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.3 281
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:5ef5:79fb:8cc:3314:a150:838d/128
On-link
11 281 fe80::/64 On-link
12 306 fe80::/64 On-link
12 306 fe80::8cc:3314:a150:838d/128
On-link
11 281 fe80::a14c:bfb8:d07e:7b4c/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/04/2011 08:03:51 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/04/2011 08:03:32 PM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0"1".
Dependent Assembly Microsoft.Windows.Common-Controls,language="&#x2a;",processorArchitecture="amd64",publicKeyToken="6595b64144ccf1df",type="win32",version="6.0.0.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (07/04/2011 07:16:18 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x87890000
Faulting process id: 0xdc0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/04/2011 05:48:45 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: AcroIEHelper.dll, version: 9.1.0.163, time stamp: 0x49a847f1
Exception code: 0xc0000005
Fault offset: 0x000013c3
Faulting process id: 0xf1c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/04/2011 04:54:54 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x748d39ff
Faulting process id: 0xf1c
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/03/2011 09:09:28 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: ntdll.dll, version: 6.1.7601.17514, time stamp: 0x4ce7b96e
Exception code: 0xc0000029
Fault offset: 0x0009052e
Faulting process id: 0x420
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/03/2011 09:09:22 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x0062006d
Faulting process id: 0x420
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/03/2011 08:33:02 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x148664ed
Faulting process id: 0xed0
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/03/2011 07:19:36 PM) (Source: Application Error) (User: )
Description: Faulting application name: iexplore.exe, version: 8.0.7601.17514, time stamp: 0x4ce79912
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x000d0abc
Faulting process id: 0xee8
Faulting application start time: 0xiexplore.exe0
Faulting application path: iexplore.exe1
Faulting module path: iexplore.exe2
Report Id: iexplore.exe3

Error: (07/03/2011 05:37:27 PM) (Source: Avira AntiVir) (User: SYSTEM)SYSTEM
Description: The keyfile contains no valid license. The service will be stopped!


System errors:
=============
Error: (07/05/2011 04:44:25 PM) (Source: Microsoft-Windows-Application-Experience) (User: SYSTEM)
Description: The Program Compatibility Assistant service failed to perform the phase two initialization.

Error: (07/05/2011 04:42:32 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005

Error: (07/05/2011 04:42:32 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005

Error: (07/05/2011 04:42:28 PM) (Source: Service Control Manager) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2

Error: (07/05/2011 04:42:28 PM) (Source: Service Control Manager) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2

Error: (07/04/2011 04:54:04 PM) (Source: Service Control Manager) (User: )
Description: The MBAMService service depends on the MBAMProtector service which failed to start because of the following error:
%%2

Error: (07/04/2011 04:54:04 PM) (Source: Service Control Manager) (User: )
Description: The MBAMProtector service failed to start due to the following error:
%%2

Error: (07/04/2011 04:53:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005

Error: (07/04/2011 04:53:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005

Error: (07/03/2011 08:50:29 PM) (Source: WMPNetworkSvc) (User: )
Description: 0x80070005


Microsoft Office Sessions:
=========================
Error: (01/16/2011 11:32:54 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 11 seconds with 0 seconds of active time. This session ended with a crash.


========================= End of Event log errors =========================

========================= Memory info: ====================================

Percentage of memory in use: 27%
Total physical RAM: 3032.61 MB
Available physical RAM: 2189.73 MB
Total Pagefile: 6061.45 MB
Available Pagefile: 5109.77 MB
Total Virtual: 2047.88 MB
Available Virtual: 1951.3 MB

======================= Partitions: =======================================

1 Drive c: () (Fixed) (Total:217.9 GB) (Free:176.88 GB) NTFS
2 Drive d: () (Fixed) (Total:65.09 GB) (Free:61.06 GB) NTFS

================= Users: ==================================================

User accounts for \\ALICIA

-------------------------------------------------------------------------------
Administrator Alicia Elouise Rose Guest
The command completed successfully.

================= End of Users ============================================

___________________________________________________

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7027

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

05/07/2011 16:57:50
mbam-log-2011-07-05 (16-57-50).txt

Scan type: Quick scan
Objects scanned: 157657
Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

___________________________________________________

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-05 17:42:00
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: 0hmsbhpx.exe; Driver: C:\Users\ALICIA~1\AppData\Local\Temp\pwldrpog.sys


---- System - GMER 1.0.15 ----

SSDT 8E94BEFE ZwCreateSection
SSDT 8E94BF03 ZwSetContextThread
SSDT 8E94BE9F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKey + 13CD 82C7AA09 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C9A512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntoskrnl.exe!KeRemoveQueueEx + 14BF 82CA188C 4 Bytes [FE, BE, 94, 8E]
.text ntoskrnl.exe!KeRemoveQueueEx + 1860 82CA1C2D 3 Bytes [BF, 94, 8E]
.text ntoskrnl.exe!KeRemoveQueueEx + 1937 82CA1D04 4 Bytes [9F, BE, 94, 8E]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!CallNextHookEx 759EABE1 5 Bytes JMP 6A243CA7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!UnhookWindowsHookEx 759EADF9 5 Bytes JMP 6A2FD99B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!SetWindowsHookExW 759EE30C 5 Bytes JMP 6A297DD1 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!CreateWindowExW 759EEC7C 5 Bytes JMP 6A2D3894 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!DialogBoxParamW 75A03B9B 5 Bytes JMP 6A207F51 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!DialogBoxIndirectParamW 75A13B7F 5 Bytes JMP 6A40DDA0 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!DialogBoxParamA 75A2CF42 5 Bytes JMP 6A40DD3D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!DialogBoxIndirectParamA 75A2D274 5 Bytes JMP 6A40DE03 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!MessageBoxIndirectA 75A3E869 5 Bytes JMP 6A40DCD2 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!MessageBoxIndirectW 75A3E963 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!MessageBoxIndirectW 75A3E963 5 Bytes JMP 6A40DC67 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!MessageBoxExA 75A3E9C9 5 Bytes JMP 6A40DC05 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] USER32.dll!MessageBoxExW 75A3E9ED 5 Bytes JMP 6A40DBA3 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] ole32.dll!OleLoadFromStream 75E46143 5 Bytes JMP 6A40E0FE C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] ole32.dll!CoCreateInstance 75E89D0B 5 Bytes JMP 6A2D3422 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WININET.dll!HttpAddRequestHeadersA 75C4DCD2 5 Bytes JMP 00386811
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WININET.dll!HttpAddRequestHeadersW 75C54FAE 5 Bytes JMP 00386A1C
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WS2_32.dll!closesocket 77673918 5 Bytes JMP 0177000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WS2_32.dll!getaddrinfo 77674296 5 Bytes JMP 017A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WS2_32.dll!recv 77676B0E 5 Bytes JMP 0175000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WS2_32.dll!connect 77676BDD 5 Bytes JMP 0176000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WS2_32.dll!send 77676F01 5 Bytes JMP 0178000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1856] WS2_32.dll!gethostbyname 77687673 5 Bytes JMP 0179000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!CreateWindowExW 759EEC7C 5 Bytes JMP 6A2D3894 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxParamW 75A03B9B 5 Bytes JMP 6A207F51 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxIndirectParamW 75A13B7F 5 Bytes JMP 6A40DDA0 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxParamA 75A2CF42 5 Bytes JMP 6A40DD3D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxIndirectParamA 75A2D274 5 Bytes JMP 6A40DE03 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectA 75A3E869 5 Bytes JMP 6A40DCD2 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectW 75A3E963 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectW 75A3E963 5 Bytes JMP 6A40DC67 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxExA 75A3E9C9 5 Bytes JMP 6A40DC05 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxExW 75A3E9ED 5 Bytes JMP 6A40DBA3 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] WININET.dll!HttpAddRequestHeadersA 75C4DCD2 5 Bytes JMP 006E6811
.text C:\Program Files\Internet Explorer\iexplore.exe[3604] WININET.dll!HttpAddRequestHeadersW 75C54FAE 5 Bytes JMP 006E6A1C

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\windows\System32\rundll32.exe[2928] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7550FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\System32\rundll32.exe[2928] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7550FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\System32\rundll32.exe[2928] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7550FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\windows\System32\rundll32.exe[2928] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7550FFF6] C:\windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:284] 86DC9E7A
Thread System [4:288] 86DCC008

---- EOF - GMER 1.0.15 ----

______________________________________________________________________________________________________________

I hope that's all okay. Let me know if I've mucked it up.

Regards

Andrew

This post has been edited by acra24: 05 July 2011 - 12:22 PM

You did just fine

Download TDSSKiller and save it to your desktop.

• Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Hi

Unfortunately when I start it the UAC splash appears but when I press Yes nothing happens. I have tried renaming it but that still doesn't work.

Regards

Andrew

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

Hi

That seems to have done it. The result says "***Infected Driver:volsnap.sys"

It's given me the option of Repair or Close. I haven't done anything yet.

Regards

Andrew

Click Repair.

Hi

I have done and it says repair successful. I will reboot and try it out.

Regards

Andrew

...and see if TDSSKiller will run.
If so post its log.

Hoorah! It has worked. The search engine works fine and so does the sound. You're a genius sir and I thank you. I shall make a donation immediately. I am glad I visited this website and will recommend it to all my friends and colleagues.

Hip hip for the good guys!

Andrew
UK

I'm happy to see you happy

...but we have to finish what we started. We have to check, if nothing else is hiding...

Quote

Sorry. Too keen. I am running TDSS killer now. It's found Rootkit.Win32,TDSS.tdl3. I will cure it if that's ok.

Andrew

This post has been edited by acra24: 05 July 2011 - 04:00 PM