Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Never thought it would happen to me!


  • Please log in to reply
No replies to this topic

#1 BlackGoku03

BlackGoku03

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:27 AM

Posted 26 January 2010 - 03:18 AM

Well, it happened. I got infected with something. That'll be the last time I let my brother in law use my laptop.

Everytime I click a link through a search engine, I get redirected. I did have the Antivirus Security 2010 fake program but removed it successfully as I've done to countless other computers. IE8 still get redirected. Sometimes a random window will pop up. Not sure what to do. I used Malwarebytes antimalware, SUPER antispyware, and combofix. Also used windows defender and Microsoft security essentials.

I have Windows 7 Ultimate, 32 bit.

Here are logs from mbam and a log from GMER. Tell me what I'm missing.

Thanks guys.




Malwarebytes' Anti-Malware 1.44
Database version: 3639
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

1/26/2010 3:12:00 AM
mbam-log-2010-01-26 (03-12-00).txt

Scan type: Quick Scan
Objects scanned: 105036
Time elapsed: 10 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-26 03:18:24
Windows 6.1.7600
Running: d20zngsr.exe; Driver: C:\Users\Freddy\AppData\Local\Temp\fwriqpog.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E49AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E49104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E493F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E322D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E31898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E491DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E49958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E496F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E49F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E4A1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A62579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A86F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text peauth.sys 96619C9D 28 Bytes [DE, 26, 1A, 2A, 5F, BC, DD, ...]
.text peauth.sys 96619CC1 28 Bytes [DE, 26, 1A, 2A, 5F, BC, DD, ...]
? C:\Users\Freddy\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!UnhookWindowsHookEx 7749CC7B 5 Bytes JMP 6C3F81D8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!CallNextHookEx 7749CC8F 5 Bytes JMP 6C3D9A6C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!CreateWindowExW 774A0E51 5 Bytes JMP 6C3E801F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!SetWindowsHookExW 774A210A 5 Bytes JMP 6C3946DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!DialogBoxIndirectParamW 774C4AA7 5 Bytes JMP 6C50EDC0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!DialogBoxParamW 774C564A 5 Bytes JMP 6C304D5B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!DialogBoxParamA 774DCF6A 5 Bytes JMP 6C50ED5D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!DialogBoxIndirectParamA 774DD29C 5 Bytes JMP 6C50EE23 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!MessageBoxIndirectA 774EE8C9 5 Bytes JMP 6C50ECF2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!MessageBoxIndirectW 774EE9C3 5 Bytes JMP 6C50EC87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!MessageBoxExA 774EEA29 5 Bytes JMP 6C50EC25 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] USER32.dll!MessageBoxExW 774EEA4D 5 Bytes JMP 6C50EBC3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] ole32.dll!OleLoadFromStream 75B45B88 5 Bytes JMP 6C50F137 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[148] ole32.dll!CoCreateInstance 75B957FC 5 Bytes JMP 6C3E8B0D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\system32\svchost.exe[768] ole32.dll!CoCreateInstance 75B957FC 5 Bytes JMP 0031000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!CreateWindowExW 774A0E51 5 Bytes JMP 6C3E801F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxIndirectParamW 774C4AA7 5 Bytes JMP 6C50EDC0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxParamW 774C564A 5 Bytes JMP 6C304D5B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxParamA 774DCF6A 5 Bytes JMP 6C50ED5D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!DialogBoxIndirectParamA 774DD29C 5 Bytes JMP 6C50EE23 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxIndirectA 774EE8C9 5 Bytes JMP 6C50ECF2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxIndirectW 774EE9C3 5 Bytes JMP 6C50EC87 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxExA 774EEA29 5 Bytes JMP 6C50EC25 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2508] USER32.dll!MessageBoxExW 774EEA4D 5 Bytes JMP 6C50EBC3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\msiexec.exe[5584] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75795D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\msiexec.exe[5584] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75795D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\msiexec.exe[5584] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75795D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\msiexec.exe[5584] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75795D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\msiexec.exe[5584] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75795D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\msiexec.exe[5584] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75795D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

Edited by BlackGoku03, 26 January 2010 - 03:20 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users