Rootkit removal

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

Page 1 of 1

You cannot start a new topic
You cannot reply to this topic

Rootkit removal

#1 Farmboy60

New Member

Group: Members
Posts: 6
Joined: 23-August 11

Posted 23 August 2011 - 12:00 PM

Hi,

I'm a novice user who is trying to remove a rootkit from my system.
I'm running Windows Vista and Internet Explorer

I updated my Malawarebytes, AVG, and CC cleaner, I've tried and deleted AVAST, Panda, Adaware and Superspy sweeper.

After combing the forums for a few days I've tried TDSSkiller, Gmer and Hijack this. TDSSkiller did not find anything, Gmer was not able to run completely before it was shut down (this has happened multiple times and always when it starts scanning devices). I understand that I am not able to post my log for Hijack this in this forum.

I would appreciate any assistance you could provide

#2 Blade

Strong in the Bleepforce

Group: Site Admin
Posts: 10,238
Joined: 20-January 09
Gender:Male
Location:US

Posted 23 August 2011 - 12:05 PM

Hello.

Try the GMER scan again. This time, uncheck Devices.

Post the resultant log for me.

~Blade

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+

#3 Farmboy60

New Member

Group: Members
Posts: 6
Joined: 23-August 11

Posted 23 August 2011 - 02:09 PM

Hi Blade,

As requested, this is where we are so far.

MER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-23 15:08:10
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3360320AS rev.3.CHN
Running: rt60ln90.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwloapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xADA4C7A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xADA4C848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xADA4C8E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xADA4C980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 824E2B74 4 Bytes [A0, C7, A4, AD]
.text ntkrnlpa.exe!KeSetEvent + 621 824E2DA4 8 Bytes [48, C8, A4, AD, E4, C8, A4, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 824E2E04 4 Bytes [80, C9, A4, AD] {OR CL, 0xa4; LODSD }
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xADA08300, 0x3ACC8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xADA63300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] kernel32.dll!CreateThread 7547CB2E 5 Bytes JMP 6B1371CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!SetWindowsHookExW 756E87AD 5 Bytes JMP 6B17204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CallNextHookEx 756E8E3B 5 Bytes JMP 6B197A4F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!UnhookWindowsHookEx 756E98DB 5 Bytes JMP 6B1BEA08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcA 756EDB88 7 Bytes JMP 6B1393F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA 756EDC2A 2 Bytes JMP 6B143223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA + 3 756EDC2D 2 Bytes [A5, F5] {MOVSD ; CMC }
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExW 756F1305 5 Bytes JMP 6B19FE2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcW 757003B4 7 Bytes JMP 6B197AB2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] ole32.dll!OleLoadFromStream 767B1E80 5 Bytes JMP 6B2C6676 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73957817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739AA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7395BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7394F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7394E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73988395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7395DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7394FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7394FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [739DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7397C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7394D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73946853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7394687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73952AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

#4 Blade

Strong in the Bleepforce

Group: Site Admin
Posts: 10,238
Joined: 20-January 09
Gender:Male
Location:US

Posted 23 August 2011 - 03:49 PM

Hi.

That log is incomplete. . . did GMER finish running?

Before we go on why do you believe there is a rootkit on your system? Should have asked this first.

~Blade

#5 Farmboy60

New Member

Group: Members
Posts: 6
Joined: 23-August 11

Posted 23 August 2011 - 07:30 PM

Hey Blade took a little longer than expected. Why rootkit? Not sure what else could be. i've run 4 virus programs and 3 spyware/malware and everything is clean but i still am unable to access Google and you tube. I use to be redirected to other sites and now I can't access the sites at all.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-23 20:18:23
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3360320AS rev.3.CHN
Running: rt60ln90.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwloapow.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xADA4C7A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xADA4C848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xADA4C8E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xADA4C980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 824E2B74 4 Bytes [A0, C7, A4, AD]
.text ntkrnlpa.exe!KeSetEvent + 621 824E2DA4 8 Bytes [48, C8, A4, AD, E4, C8, A4, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 824E2E04 4 Bytes [80, C9, A4, AD] {OR CL, 0xa4; LODSD }
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xADA08300, 0x3ACC8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xADA63300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] kernel32.dll!CreateThread 7547CB2E 5 Bytes JMP 6B1371CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!SetWindowsHookExW 756E87AD 5 Bytes JMP 6B17204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CallNextHookEx 756E8E3B 5 Bytes JMP 6B197A4F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!UnhookWindowsHookEx 756E98DB 5 Bytes JMP 6B1BEA08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcA 756EDB88 7 Bytes JMP 6B1393F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA 756EDC2A 2 Bytes JMP 6B143223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA + 3 756EDC2D 2 Bytes [A5, F5] {MOVSD ; CMC }
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExW 756F1305 5 Bytes JMP 6B19FE2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcW 757003B4 7 Bytes JMP 6B197AB2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] ole32.dll!OleLoadFromStream 767B1E80 5 Bytes JMP 6B2C6676 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73957817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739AA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7395BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7394F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7394E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73988395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7395DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7394FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7394FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [739DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7397C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7394D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73946853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7394687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73952AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 Blade

Strong in the Bleepforce

Group: Site Admin
Posts: 10,238
Joined: 20-January 09
Gender:Male
Location:US

Posted 23 August 2011 - 07:50 PM

Hello.

Which security programs have you run? You mention a total of 7

~Blade

#7 Farmboy60

New Member

Group: Members
Posts: 6
Joined: 23-August 11

Posted 24 August 2011 - 05:39 AM

Malawarebytes, Avira, AVG, Avast, Panda Cloud, Superspy sweeper, Ad aware

#8 Farmboy60

New Member

Group: Members
Posts: 6
Joined: 23-August 11

Posted 24 August 2011 - 05:41 AM

Also cc cleaner

#9 Blade

Strong in the Bleepforce

Group: Site Admin
Posts: 10,238
Joined: 20-January 09
Gender:Male
Location:US

Posted 24 August 2011 - 08:07 AM

Hello.

Try this for me.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

~Blade

In your next reply, please include the following:
TDSSKiller Log

#10 Farmboy60

New Member

Group: Members
Posts: 6
Joined: 23-August 11

Posted 26 August 2011 - 06:32 AM

TDSS Scan found nothing

#11 Blade

Strong in the Bleepforce

Group: Site Admin
Posts: 10,238
Joined: 20-January 09
Gender:Male
Location:US

Posted 26 August 2011 - 05:04 PM

Hello,

It appears that the issues on your system will require a more in-depth examination than can be performed in this forum. Please read the information in this guide, and follow all the steps beginning with step 6. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The MRT is very busy, so it could be several days (3-5 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!

~Blade