Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Results Redirected/Hijacked.


  • This topic is locked This topic is locked
5 replies to this topic

#1 Pritz

Pritz

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 16 May 2010 - 01:29 PM

Just had a bunch load of viruses removed like 2-3 weeks ago except one. It is a .sys(yrbbz.sys) file in the drivers folder and when I try to delete it, there is an error saying "Cannot read from source file or disk". No all of my google search results are getting hijacked 9 out of 10 times.
Below is the DDS report and the GMER report.

Please help me as I use my computer for everything and I dont want to reformat the drive.....

This is DDS report.....

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DDS (Ver_10-03-17.01) - NTFSx86
Run by Ganesh at 12:56:50.68 on Sun 05/16/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2430.1480 [GMT -5:00]


============== Running Processes ===============

E:\Windows\system32\wininit.exe
E:\Windows\system32\lsm.exe
E:\Windows\system32\svchost.exe -k DcomLaunch
E:\Windows\system32\svchost.exe -k RPCSS
E:\Windows\system32\Ati2evxx.exe
E:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
E:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
E:\Windows\system32\svchost.exe -k netsvcs
E:\Windows\system32\svchost.exe -k LocalService
E:\Windows\system32\Ati2evxx.exe
E:\Windows\system32\svchost.exe -k NetworkService
E:\Program Files\Alwil Software\Avast5\AvastSvc.exe
E:\Program Files\Alwil Software\Avast5\afwServ.exe
E:\Windows\system32\Dwm.exe
E:\Windows\Explorer.EXE
E:\Program Files\Synaptics\SynTP\SynTPEnh.exe
E:\Windows\WindowsMobile\wmdc.exe
E:\Program Files\Alwil Software\Avast5\AvastUI.exe
E:\Program Files\DivX\DivX Update\DivXUpdate.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\Program Files\Synaptics\SynTP\SynTPHelper.exe
E:\Program Files\Synaptics\SynTP\SynToshiba.exe
E:\Users\Ganesh\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
E:\Program Files\Windows Sidebar\sidebar.exe
E:\Windows\System32\spoolsv.exe
E:\Windows\system32\taskhost.exe
E:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
E:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
E:\Windows\system32\svchost.exe -k imgsvc
E:\Windows\system32\SearchIndexer.exe
E:\Windows\system32\svchost.exe -k WindowsMobile
E:\Program Files\Windows Media Player\wmpnetwk.exe
E:\Windows\system32\SearchProtocolHost.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Windows\System32\svchost.exe -k LocalServicePeerNet
E:\Windows\System32\mobsync.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Internet Explorer\iexplore.exe
"E:\Windows\System32\svchost.exe"
E:\Program Files\SopCast\adv\SopAdver.exe
E:\Windows\system32\conhost.exe
E:\Windows\explorer.exe
E:\Windows\system32\SearchFilterHost.exe
E:\Users\Ganesh\Desktop\dds.scr
E:\Windows\system32\conhost.exe
E:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: ToolbarURLSearchHook Class: {ca3eb689-8f09-4026-aa10-b9534c691ce0} - e:\program files\search toolbar\tbhelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: TBSB05974 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - e:\program files\search toolbar\tbcore3.dll
TB: Search Toolbar: {0c8413c1-fad1-446c-8584-be50576f863e} - e:\program files\search toolbar\tbcore3.dll
uRun: [SansaDispatch] e:\users\ganesh\appdata\roaming\sandisk\sansa updater\SansaDispatch.exe
uRun: [Sidebar] e:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [SynTPEnh] e:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QuickTime Task] "e:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
mRun: [avast5] "e:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [DivXUpdate] "e:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: Add to Google Photos Screensa&ver - e:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - e:\windows\windowsmobile\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} - hxxp://www.vexcast.com/download/vexcast.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - e:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\wxmphqh2.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=
FF - plugin: e:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: e:\program files\google\picasa3\npPicasa3.dll
FF - plugin: e:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: e:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: e:\program files\tvuplayer\npTVUAx.dll
FF - plugin: e:\program files\veetle\player\npvlc.dll
FF - plugin: e:\program files\veetle\plugins\npVeetle.dll
FF - plugin: e:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: e:\users\ganesh\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: e:\users\ganesh\appdata\roaming\mozilla\firefox\profiles\wxmphqh2.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 aswNdis;avast! Firewall NDIS Filter Service;e:\windows\system32\drivers\aswNdis.sys [2010-5-9 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;e:\windows\system32\drivers\aswNdis2.sys [2010-5-9 190416]
R1 aswFW;avast! TDI Firewall driver;e:\windows\system32\drivers\aswFW.sys [2010-5-9 99280]
R1 aswSnx;aswSnx;e:\windows\system32\drivers\aswSnx.sys [2010-5-9 307280]
R1 aswSP;aswSP;e:\windows\system32\drivers\aswSP.sys [2010-1-4 164048]
R1 vwififlt;Virtual WiFi Filter Driver;e:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [2010-1-4 19024]
R2 aswMonFlt;aswMonFlt;e:\windows\system32\drivers\aswMonFlt.sys [2010-1-4 51792]
R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast5\AvastSvc.exe [2010-5-9 40384]
R2 avast! Firewall;avast! Firewall;e:\program files\alwil software\avast5\afwServ.exe [2010-5-9 119200]
R2 cpuz132;cpuz132;e:\windows\system32\drivers\cpuz132_x32.sys [2010-1-17 17056]
R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast5\AvastSvc.exe [2010-5-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast5\AvastSvc.exe [2010-5-9 40384]
R3 RTL8167;Realtek 8167 NT Driver;e:\windows\system32\drivers\Rt86win7.sys [2010-3-4 277536]
R3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;e:\windows\system32\drivers\RTL8187B.sys [2009-11-5 376832]
S2 gupdate;Google Update Service (gupdate);e:\program files\google\update\GoogleUpdate.exe [2010-5-5 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;e:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 SUPERWEBCAM;SuperWebcam, WDM Virtual Video Capture Device;e:\windows\system32\drivers\superwebcam.sys [2009-11-9 31872]

=============== Created Last 30 ================

2010-05-15 22:58:41 0 d-----w- e:\programdata\Sun
2010-05-15 22:58:24 411368 ----a-w- e:\windows\system32\deployJava1.dll
2010-05-15 17:42:13 0 d-----w- e:\program files\CCleaner
2010-05-14 23:48:54 0 d-----w- e:\windows\system32\appmgmt
2010-05-14 23:43:46 0 d-----w- e:\programdata\DivX
2010-05-14 23:19:53 740864 ----a-w- e:\windows\system32\inetcomm.dll
2010-05-10 23:18:40 0 d-----w- E:\Output Files
2010-05-10 23:16:48 0 d-----w- e:\windows\system32\tempdir
2010-05-10 23:16:47 1503232 ----a-w- e:\windows\system32\ptj.exe
2010-05-10 23:16:47 1103360 ----a-w- e:\windows\system32\cidfont.dll
2010-05-10 23:16:46 4369408 ----a-w- e:\windows\system32\pdftk.exe
2010-05-10 23:16:46 235008 ----a-w- e:\windows\system32\office.exe
2010-05-10 23:16:45 0 d-----w- e:\program files\office Convert Pdf to Jpg Jpeg Tiff Free
2010-05-09 18:06:17 0 d-----w- e:\program files\Search Toolbar
2010-05-09 18:00:13 307280 ----a-w- e:\windows\system32\drivers\aswSnx.sys
2010-05-09 18:00:09 99280 ----a-w- e:\windows\system32\drivers\aswFW.sys
2010-05-09 17:59:40 190416 ----a-w- e:\windows\system32\drivers\aswNdis2.sys
2010-05-09 17:58:45 12112 ----a-w- e:\windows\system32\drivers\aswNdis.sys
2010-05-09 17:58:39 0 d-----w- e:\programdata\Alwil Software
2010-05-09 17:42:55 84992 ----a-w- e:\windows\system32\drivers\sdbus.sys
2010-05-09 17:42:55 12800 ----a-w- e:\windows\system32\drivers\sffp_sd.sys
2010-05-09 17:42:49 133720 ----a-w- e:\windows\system32\drivers\ksecpkg.sys
2010-05-09 17:42:49 1037312 ----a-w- e:\windows\system32\lsasrv.dll
2010-05-09 17:42:47 194488 ----a-w- e:\windows\system32\drivers\fvevol.sys
2010-05-05 02:52:43 0 d-----w- e:\programdata\TVU Networks
2010-05-05 02:52:32 0 d-----w- e:\program files\TVUPlayer
2010-04-26 22:04:42 353592 ----a-w- e:\windows\system32\DivXControlPanelApplet.cpl
2010-04-25 15:40:13 0 d-----w- e:\users\ganesh\appdata\roaming\Malwarebytes
2010-04-25 15:36:58 452 --sha-r- e:\users\ganesh\ntuser.pol
2010-04-24 19:31:15 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2010-04-24 19:31:11 20952 ----a-w- e:\windows\system32\drivers\mbam.sys
2010-04-24 19:31:11 0 d-----w- e:\programdata\Malwarebytes
2010-04-24 19:31:10 0 d-----w- e:\program files\Malwarebytes' Anti-Malware
2010-04-24 19:03:47 823808 ----a-w- e:\windows\system32\drivers\yrbbz.sys

==================== Find3M ====================

2010-05-06 20:34:10 51792 ----a-w- e:\windows\system32\drivers\aswMonFlt.sys
2010-04-24 19:28:02 43088 ----a-w- e:\windows\system32\drivers\pcw.sys
2010-03-21 05:14:38 6656 ----a-w- e:\windows\system32\lpcio.dll
2010-03-14 15:47:08 34569 ----a-w- e:\windows\system32\uninstall.exe
2010-03-08 21:33:56 427520 ----a-w- e:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- e:\windows\system32\dpl100.dll
2010-02-27 12:07:48 3954568 ----a-w- e:\windows\system32\ntkrnlpa.exe
2010-02-27 12:07:48 3899280 ----a-w- e:\windows\system32\ntoskrnl.exe
2010-02-24 15:16:06 181632 ------w- e:\windows\system32\MpSigStub.exe
2010-02-23 07:56:00 977920 ----a-w- e:\windows\system32\wininet.dll
2010-02-19 23:47:50 3604480 ----a-w- e:\windows\system32\GPhotos.scr
2009-07-14 04:56:42 31548 ----a-w- e:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- e:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- e:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- e:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- e:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- e:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- e:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- e:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- e:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- e:\windows\fonts\StaticCache.dat
2010-01-22 04:40:47 245760 --sha-w- e:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- e:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 12:58:13.21 ===============

GMER report-------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-16 13:14:22
Windows 6.1.7600
Running: gmer.exe; Driver: E:\Users\Ganesh\AppData\Local\Temp\ffryapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwAlpcSendWaitReceivePort [0x8A18DF36]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEvent [0x8A18D8FC]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateEventPair [0x8A18D954]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateIoCompletion [0x8A18DA6A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateMutant [0x8A18D852]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSection [0x8A18D9A4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateSemaphore [0x8A18D8A6]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwCreateTimer [0x8A18DA18]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwLoadDriver [0x8A18BD0C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEvent [0x8A18D92C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenEventPair [0x8A18D97C]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenIoCompletion [0x8A18DA94]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenMutant [0x8A18D87E]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSection [0x8A18D9E4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenSemaphore [0x8A18D8D4]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwOpenTimer [0x8A18DA42]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwQueryObject [0x8A18C832]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePort [0x8A18E310]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwReplyWaitReceivePortEx [0x8A18DF0A]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSetSystemInformation [0x8A18BD66]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwShutdownSystem [0x8A18BE76]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/ALWIL Software) ZwSystemDebugControl [0x8A18BE88]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828203F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828092D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82808898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828201DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828206F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82820F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 828211A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x89815AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82880599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828A4F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 28C 828AC79C 4 Bytes [36, DF, 18, 8A]
.text ntkrnlpa.exe!RtlSidHashLookup + 2F0 828AC800 8 Bytes [FC, D8, 18, 8A, 54, D9, 18, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 2FC 828AC80C 4 Bytes [6A, DA, 18, 8A]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 828AC828 4 Bytes [52, D8, 18, 8A]
.text ntkrnlpa.exe!RtlSidHashLookup + 340 828AC850 8 Bytes [A4, D9, 18, 8A, A6, D8, 18, ...]
.text ...
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82A45FA7 5 Bytes JMP 89811536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82A5FCA7 5 Bytes JMP 89812F28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82B17EAA 7 Bytes JMP 89815ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\drivers\gnro.sys The system cannot find the path specified. !
? System32\Drivers\yrbbz.sys A device attached to the system is not functioning. !
.text E:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F210000, 0x23097E, 0xE8000020]
.text peauth.sys 9B618C9D 28 Bytes CALL 17D5BC67
.text peauth.sys 9B618CC1 28 Bytes CALL 17D5BC8B

---- User code sections - GMER 1.0.15 ----

.text E:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77455360 5 Bytes JMP 0025000A
.text E:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 77455EE0 5 Bytes JMP 0026000A
.text E:\Windows\system32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 77456448 5 Bytes JMP 0016000A
.text E:\Windows\system32\svchost.exe[1068] ole32.dll!CoCreateInstance 76FC57FC 5 Bytes JMP 00A9000A
.text E:\Program Files\Mozilla Firefox\firefox.exe[1104] ntdll.dll!NtProtectVirtualMemory 77455360 5 Bytes JMP 0039000A
.text E:\Program Files\Mozilla Firefox\firefox.exe[1104] ntdll.dll!NtWriteVirtualMemory 77455EE0 5 Bytes JMP 003A000A
.text E:\Program Files\Mozilla Firefox\firefox.exe[1104] ntdll.dll!KiUserExceptionDispatcher 77456448 5 Bytes JMP 0037000A
.text E:\Program Files\Mozilla Firefox\firefox.exe[1104] ntdll.dll!LdrLoadDll 7746F585 5 Bytes JMP 012813F0 E:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text E:\Windows\explorer.exe[1272] ntdll.dll!NtProtectVirtualMemory 77455360 5 Bytes JMP 001A000A
.text E:\Windows\explorer.exe[1272] ntdll.dll!NtWriteVirtualMemory 77455EE0 5 Bytes JMP 001B000A
.text E:\Windows\explorer.exe[1272] ntdll.dll!KiUserExceptionDispatcher 77456448 5 Bytes JMP 0019000A
.text E:\Windows\Explorer.EXE[1744] ntdll.dll!NtProtectVirtualMemory 77455360 5 Bytes JMP 0059000A
.text E:\Windows\Explorer.EXE[1744] ntdll.dll!NtWriteVirtualMemory 77455EE0 5 Bytes JMP 005A000A
.text E:\Windows\Explorer.EXE[1744] ntdll.dll!KiUserExceptionDispatcher 77456448 5 Bytes JMP 0058000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] ntdll.dll!NtProtectVirtualMemory 77455360 5 Bytes JMP 015A000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] ntdll.dll!NtWriteVirtualMemory 77455EE0 5 Bytes JMP 015B000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] ntdll.dll!KiUserExceptionDispatcher 77456448 5 Bytes JMP 002D000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!UnhookWindowsHookEx 76EACC7B 5 Bytes JMP 6F8F82FA E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!CallNextHookEx 76EACC8F 5 Bytes JMP 6F8D9D00 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!CreateWindowExW 76EB0E51 5 Bytes JMP 6F8E80F7 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!SetWindowsHookExW 76EB210A 5 Bytes JMP 6F8945DB E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxIndirectParamW 76ED4AA7 5 Bytes JMP 6FA0F218 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxParamW 76ED564A 5 Bytes JMP 6F804B7F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxParamA 76EECF6A 5 Bytes JMP 6FA0F1B5 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!DialogBoxIndirectParamA 76EED29C 5 Bytes JMP 6FA0F27B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectA 76EFE8C9 5 Bytes JMP 6FA0F14A E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxIndirectW 76EFE9C3 5 Bytes JMP 6FA0F0DF E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxExA 76EFEA29 5 Bytes JMP 6FA0F07D E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] USER32.dll!MessageBoxExW 76EFEA4D 5 Bytes JMP 6FA0F01B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] ole32.dll!OleLoadFromStream 76F75B88 5 Bytes JMP 6FA0F576 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3604] ole32.dll!CoCreateInstance 76FC57FC 5 Bytes JMP 6F8E8BE5 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] ntdll.dll!NtProtectVirtualMemory 77455360 5 Bytes JMP 002A000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] ntdll.dll!NtWriteVirtualMemory 77455EE0 5 Bytes JMP 003B000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] ntdll.dll!KiUserExceptionDispatcher 77456448 5 Bytes JMP 0029000A
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!CreateWindowExW 76EB0E51 5 Bytes JMP 6F8E80F7 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxIndirectParamW 76ED4AA7 5 Bytes JMP 6FA0F218 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxParamW 76ED564A 5 Bytes JMP 6F804B7F E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxParamA 76EECF6A 5 Bytes JMP 6FA0F1B5 E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!DialogBoxIndirectParamA 76EED29C 5 Bytes JMP 6FA0F27B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxIndirectA 76EFE8C9 5 Bytes JMP 6FA0F14A E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxIndirectW 76EFE9C3 5 Bytes JMP 6FA0F0DF E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxExA 76EFEA29 5 Bytes JMP 6FA0F07D E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text E:\Program Files\Internet Explorer\iexplore.exe[3952] USER32.dll!MessageBoxExW 76EFEA4D 5 Bytes JMP 6FA0F01B E:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
? E:\Windows\System32\svchost.exe[4396] image checksum mismatch; time/date stamp mismatch;

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85D224E0

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp aswFW.SYS (avast! Filtering TDI driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 85FFACEC

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\yrbbz@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\yrbbz@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\yrbbz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\yrbbz@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\yrbbz@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\yrbbz@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\yrbbz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\yrbbz@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File E:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----



BC AdBot (Login to Remove)

 


#2 Pritz

Pritz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 17 May 2010 - 10:11 AM

Did I miss anything to report? Otherwise How can I get a response?

Please I need to fix this as I need to do some banking stuff....

Thank you.

#3 Pritz

Pritz
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 18 May 2010 - 11:31 AM

I know bumping is not allowed but I havent recieved even one reply yet and its been 3 days.
If nobody from malware removal support team wants to help, please say so. I could try other forums.

Please do reply.......

Thank you.

Edited by Pritz, 18 May 2010 - 11:34 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 18 May 2010 - 02:01 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

:run combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log From Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 21 May 2010 - 01:17 PM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:53 PM

Posted 25 May 2010 - 06:55 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users