Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus disrupting my internet browsing


  • This topic is locked This topic is locked
4 replies to this topic

#1 timmackman

timmackman

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 28 April 2010 - 11:59 PM

I have a customer who has problems with their internet browsing. Every few times they go to a website or different links even on same website, they will get the Internet explorer page cannot be displayed error like there is no internet connection, when the internet connection is fine. I was connected on my laptop to their network and didnt have a single problem. But the for sure part where it does this is after she tries to log into her hotmail email. Has to hit refresh button like 3-4 times to finally get it to come up. And I know its not internet problem because past two days I've been remote onto it with VNC and never got disconnected from VNC and was duplicating same problem.

I've run Malwarebytes, ComboFix, Rkill, AVG, Adaware, SuperAntispyware, Spybot. And they've all found their own different little infections, malwarebytes was ran first and found the most, but I've flushed DNS on that PC, cleared internet temp. files, history, cookies, Windows Temp files, disk cleanup, rolled back IE8 to IE7, installed Firefox and tried it on there same thing. Checked if there was rogue proxy that hijacked IE or in network adaptor settings. Nothing. Kind of at a loss here.




GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-29 00:44:18
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Aubrey\LOCALS~1\Temp\kwldipog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0xB1DB2320]

---- Kernel code sections - GMER 1.0.15 ----

? C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS The system cannot find the file specified. !
? C:\Program Files\SUPERAntiSpyware\SASENUM.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E1DF4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 3E352141 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 3E352172 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E352046 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E351FC7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E35200B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E351F53 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E351F8D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!DialogBoxIndirectParamA 7E456D7D 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E352081 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E2017EA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2200] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E352243 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [620] 0x10000000
Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [2608] 0x00C90000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Control\Session Manager@PendingFileRenameOperations ???&?&??? ??????????????????????????????????????Dn??? ???????????????????????????? ??????????0??? ???????????????????????????????????????f??????????????????????PSched??ht????????????????????????????????????????????????????????????????s??????????????????????????????-??? ?????nre??? ??????????????????????????????????????????il??Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.????? ??????????????????multi(0)disk(0)rdisk(0)partition(1)????????? ??????????????????????????????????s??????????????????????????????????????????????????N???????????D??????%???????D??????????????????n1????????????????e?????????LocalSystem?????? ??????????????????? ????"???&??????????????????????????.??4???.NT??????????&??Provides a common interface and object model to access management information about operating system, devices, applications and ser
Reg HKLM\SYSTEM\ControlSet001\Control\Session Manager@PendingFileRenameOperations2 ?f? C:???????????T??????EC??%TEMP%\* /s?????????20000?????????????????????????????H?X??????4???????????????????? ??????? ???????????Disk drive????????B??????????????2??storprop.dll,IdePropPageProvider????? ??????????????e???Prefetch??????:??????i??????be??%SystemRoot%\repair\asr.log??n????:?????? ??????? ????6??????}?????????????????????????????????????????????????????????????2+?????1???????????????????????????????4?????????????????????????????????????????????????????????????????????????????SoundMAX Digital Audio??pr??Udfs?s???? ?????????????????4.2.2.2 4.2.2.2??????? ?????? ???????.??4.2.2.2 4.2.2.2???????????????????????? 4.??192.168.1.254??????????????????????????.1.??192.168.1.254?????????????????????????t.1.??USB?Co??????????????????? ??atapi_Inst_primary??????????????????????????????storprop.dll,IdePropPageProvider?????????????4???????????????3???h????B??????????????2??????????? ?????????r????mshdc.inf???mshdc.inf?????B??????????????2??????????????????????7-1-2001???????????????????????????????????????

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 13 May 2010 - 11:42 PM.
Move to log forum from AII. ~ OB


BC AdBot (Login to Remove)

 


#2 timmackman

timmackman
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:39 AM

Posted 29 April 2010 - 09:06 PM

hahah 106 views and 0 replies. Guess I dont feel so bad for being puzzled.

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 14 May 2010 - 06:13 PM

Topic was just moved to this forum since it was not posted in the correct forum and we did not know of a new topic being posted.

Do you still require help?

This topic will be closed if there are no response within 5 days.

Thanks and we apologize for the delay/overlooking your topic.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 17 May 2010 - 08:41 PM

Hello.

Are you still there? Do you still require help?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 7 days from the last day I replied initially, the topic will need to be closed.

Thanks for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:39 AM

Posted 25 May 2010 - 03:18 PM

Hello.

Due to Lack of feedback, this topic is now Closed

If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users