Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Virus


  • Please log in to reply
14 replies to this topic

#1 jrizzle

jrizzle

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 08 April 2010 - 04:56 PM

Hello I seem to have run into the fake anti-virus that tells you the computer is infected. I managed to run SuperAntiSpyware and it removed some items. However, now none of my programs are recognized when you click on them (it asks what you want to open the program with) though I can still open firefox by using "open with" and finding it in my C drive. I also still get a few pop ups. How can I fix this?


Thanks for your time!

BC AdBot (Login to Remove)

 


#2 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 08 April 2010 - 05:19 PM

Well I seemed to have been able to fix my "open with" problem but I'd still like some help on making sure my computer is clean.

#3 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 10 April 2010 - 06:11 PM

I'm still getting pop ups...can anyone help me?

#4 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 12 April 2010 - 01:36 AM

I made a topic a few days ago: http://www.bleepingcomputer.com/forums/t/308168/strange-virus/ but it was bumped by someone who could not help me. I didn't want you guys to think I was already being helped so I decided to repost this. Sorry if it seems like I am impatient but I have a lot of work piling up and want to be able to work on it as soon as possible. Thanks again for your time.

Merged topics. ~ OB

Edited by Orange Blossom, 12 April 2010 - 08:42 PM.


#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:34 AM

Posted 12 April 2010 - 08:44 PM

Hello jrizzle,

I've merged your topics and removed the hijacking posts. I'm alerting the first responders to your topic so you can receive appropriate assistance.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:34 AM

Posted 13 April 2010 - 06:49 AM

Can you please post the log from SuperAntiSpyware and also tell us what operating system you are running.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#7 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 April 2010 - 02:32 PM

I am running Windows XP.

Here are two logs because the Paladin Antivirus kept coming back:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/08/2010 at 02:35 PM

Application Version : 4.34.1000

Core Rules Database Version : 4732
Trace Rules Database Version: 2499

Scan type : Complete Scan
Total Scan Time : 00:14:04

Memory items scanned : 473
Memory threats detected : 2
Registry items scanned : 4256
Registry threats detected : 6
File items scanned : 10125
File threats detected : 14

Trojan.Agent/Gen-Tiny[Pizar]
C:\WINDOWS\SYSTEM32\SRSVC.DLL
C:\WINDOWS\SYSTEM32\SRSVC.DLL

Trojan.Agent/Gen-RogueAV
C:\DOCUMENTS AND SETTINGS\A\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\DOCUMENTS AND SETTINGS\A\LOCAL SETTINGS\APPLICATION DATA\AVE.EXE
C:\WINDOWS\Prefetch\AVE.EXE-1B14DD36.pf

Adware.Tracking Cookie
C:\Documents and Settings\A\Cookies\a@doubleclick[1].txt
C:\Documents and Settings\A\Cookies\a@yieldmanager[1].txt
C:\Documents and Settings\A\Cookies\a@invitemedia[2].txt
C:\Documents and Settings\A\Cookies\a@adserver.adtechus[1].txt
C:\Documents and Settings\A\Cookies\a@advertising[2].txt
C:\Documents and Settings\A\Cookies\a@atdmt[1].txt
C:\Documents and Settings\A\Cookies\a@ak[2].txt
C:\Documents and Settings\A\Cookies\a@content.yieldmanager[2].txt
C:\Documents and Settings\A\Cookies\a@ad.yieldmanager[1].txt
C:\Documents and Settings\A\Cookies\a@ad.yieldmanager[2].txt
C:\Documents and Settings\A\Cookies\a@rotator.adjuggler[1].txt

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll

Rogue.MalwareDefense
HKU\S-1-5-21-1292428093-842925246-839522115-1004\Software\Malware Defense
HKLM\Software\Malware Defense

Rogue.PaladinAntivirus
HKU\S-1-5-21-1292428093-842925246-839522115-1004\Software\Paladin Antivirus
HKLM\Software\Paladin Antivirus









SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/08/2010 at 07:35 PM

Application Version : 4.34.1000

Core Rules Database Version : 4732
Trace Rules Database Version: 2499

Scan type : Complete Scan
Total Scan Time : 00:26:46

Memory items scanned : 223
Memory threats detected : 0
Registry items scanned : 4302
Registry threats detected : 8
File items scanned : 9579
File threats detected : 31

Trojan.Dropper/Win-NV
HKLM\System\ControlSet001\Services\_VOIDtksmqibcrp
C:\WINDOWS\_VOIDTKSMQIBCRP\_VOIDD.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY__VOIDtksmqibcrp
HKLM\System\ControlSet002\Services\_VOIDtksmqibcrp
HKLM\System\ControlSet002\Enum\Root\LEGACY__VOIDtksmqibcrp
HKLM\System\CurrentControlSet\Services\_VOIDtksmqibcrp
HKLM\System\CurrentControlSet\Enum\Root\LEGACY__VOIDtksmqibcrp

Adware.Tracking Cookie
C:\Documents and Settings\A\Cookies\a@doubleclick[1].txt
C:\Documents and Settings\A\Cookies\a@yieldmanager[1].txt
C:\Documents and Settings\A\Cookies\a@invitemedia[2].txt
C:\Documents and Settings\A\Cookies\a@trafficmp[1].txt
C:\Documents and Settings\A\Cookies\a@adserver.adtechus[1].txt
C:\Documents and Settings\A\Cookies\a@google[1].txt
C:\Documents and Settings\A\Cookies\a@c5.zedo[1].txt
C:\Documents and Settings\A\Cookies\a@network.realmedia[1].txt
C:\Documents and Settings\A\Cookies\a@revenue[2].txt
C:\Documents and Settings\A\Cookies\a@zedo[2].txt
C:\Documents and Settings\A\Cookies\a@media.adfrontiers[1].txt
C:\Documents and Settings\A\Cookies\a@advertising[2].txt
C:\Documents and Settings\A\Cookies\a@realmedia[1].txt
C:\Documents and Settings\A\Cookies\a@lucidmedia[2].txt
C:\Documents and Settings\A\Cookies\a@serving-sys[2].txt
C:\Documents and Settings\A\Cookies\a@ad.zanox[1].txt
C:\Documents and Settings\A\Cookies\a@apmebf[2].txt
C:\Documents and Settings\A\Cookies\a@mediaplex[2].txt
C:\Documents and Settings\A\Cookies\a@atdmt[1].txt
C:\Documents and Settings\A\Cookies\a@revsci[1].txt
C:\Documents and Settings\A\Cookies\a@adbrite[1].txt
C:\Documents and Settings\A\Cookies\a@ak[2].txt
C:\Documents and Settings\A\Cookies\a@content.yieldmanager[2].txt
C:\Documents and Settings\A\Cookies\a@247realmedia[2].txt
C:\Documents and Settings\A\Cookies\a@zanox[1].txt
C:\Documents and Settings\A\Cookies\a@bs.serving-sys[1].txt
C:\Documents and Settings\A\Cookies\a@crackle[1].txt
C:\Documents and Settings\A\Cookies\a@media6degrees[2].txt
C:\Documents and Settings\A\Cookies\a@ad.yieldmanager[1].txt

Rogue.MalwareDefense
HKU\S-1-5-21-1292428093-842925246-839522115-1004\Software\Malware Defense

Rogue.PaladinAntivirus
HKU\S-1-5-21-1292428093-842925246-839522115-1004\Software\Paladin Antivirus

Trojan.Agent/Gen-MSFake
C:\DOCUMENTS AND SETTINGS\A\LOCAL SETTINGS\TEMP\_VOIDF6C1.TMP





I don't think I have the Paladin virus anymore so I'm not sure if that is the problem. I do still get pop ups though.

#8 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:34 AM

Posted 13 April 2010 - 02:45 PM

Please click here and follow the removal instructions for Paladin Antivirus. Once you have run Malwarebytes, please post the log.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#9 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 13 April 2010 - 05:47 PM

Hm...mbam worked fine before I ran rkill but now I get an error that says "This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel. Anyway, like I said before, I think I got rid of the Paladin Antivirus already. However, I am still getting pop ups from presumably some other source. It is this unknown source that I am trying to find/get rid of.


It seems that error above is affecting other programs as well...did rkill do this? Or perhaps more malware....

#10 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:34 AM

Posted 14 April 2010 - 07:35 AM

Could you please post the log from MBAM.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#11 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 14 April 2010 - 12:23 PM

These logs are from when I had the Paladin Antivirus:



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

4/8/2010 8:25:01 PM
mbam-log-2010-04-08 (20-25-01).txt

Scan type: Full scan (C:\|)
Objects scanned: 134988
Time elapsed: 25 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\_VOID (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ewrgetuj (Worm.Prolaco.M) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\A\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\A\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\A\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\_VOIDtksmqibcrp (Rootkit.TDSS) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\_VOIDpovvqlpjwf.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDrowngjokci.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDsccmvmawmt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\_VOIDtleajnahho.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.





Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3974

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 6.0.2900.2180

4/11/2010 7:38:57 AM
mbam-log-2010-04-11 (07-38-57).txt

Scan type: Full scan (C:\|)
Objects scanned: 134417
Time elapsed: 39 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe") Good: (firefox.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe" /START "firefox.exe -safe-mode") Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\A\Local Settings\Application Data\1521009742.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.



However now, MBAM doesn't find anything even though I still get pop ups.

#12 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:34 AM

Posted 14 April 2010 - 12:31 PM

Please download GMER from one of the following locations and save it to your desktop:

* Main Mirror
This version will download a randomly named file (Recommended)
* Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
* Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
* Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
Posted Image

* GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
* If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
* Now click the Scan button. If you see a rootkit warning window, click OK.
* When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
* Click the Copy button and paste the results into your next reply.
* Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.


Please download mbr.exe and save it to your desktop.
Doubleclick on mbr.exe to run it (if you use Windows Vista or 7, right click on the file and select "run as administrator).
You will see a command window flashing and afterwards you can find the log on the desktop (mbr.log).
Please post its contents in your next reply.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#13 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 15 April 2010 - 07:06 AM

GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 04:57:46
Windows 5.1.2600 Service Pack 2
Running: he46e6n3.exe; Driver: C:\DOCUME~1\A\LOCALS~1\Temp\pxtdrpog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB7020670]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB0CC4320]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB70207C0]
SSDT \??\C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB7020860]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ohci1394.sys entry point in ".rsrc" section [0xBA8C3E94]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB86D1360, 0x303CE7, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 009F000A
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00AD000A
.text C:\WINDOWS\Explorer.EXE[896] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 009E000C
.text C:\WINDOWS\System32\svchost.exe[1700] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0081000A
.text C:\WINDOWS\System32\svchost.exe[1700] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0082000A
.text C:\WINDOWS\System32\svchost.exe[1700] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0080000C
.text C:\WINDOWS\System32\svchost.exe[1700] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 010D000A
.text C:\WINDOWS\System32\svchost.exe[1700] ole32.dll!CoCreateInstance 7750055E 5 Bytes JMP 00FD000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat 9C504C8A
Device \FileSystem\Fastfat \Fat 9C4FD60A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device -> \Driver\atapi \Device\Harddisk0\DR0 89CDCAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ohci1394.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----






MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#14 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:02:34 AM

Posted 15 April 2010 - 07:13 AM

In your GMER scan, I do see signs of a rootkit infection. Rootkits require tools which are not permitted in this forum. So, at this point, this one is best left to the experts, so I'm going to refer you to the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

Please read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help in cleaning your computer. Once complete, post a link back to this forum so the MRT team knows what we have tried.

Please be patient as the MRT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#15 jrizzle

jrizzle
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:01:34 AM

Posted 15 April 2010 - 07:38 PM

Ok. Thanks tech.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users