Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think im infected! help?


  • Please log in to reply
12 replies to this topic

#1 TheDerek81

TheDerek81

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 31 May 2010 - 12:33 AM

I hope this is the right spot to post this, if not I do apologize! I think I have an infection on my computer. The first sign of problems were from "AntiSpyware Soft" that I seemed to have stopped. Shortly after almost every time I start Firefox a secondary tab opens with the URL usually containing "directrdr.com" in it. I also seem to be getting a lot of re-directs from google searches and very slow computer speed. I also lost my volume control (no sound) today. I have ran MBAM, Norton, and SpyBot and nothing has shown up.

Here is a GMER log.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-31 09:30:02
Windows 5.1.2600 Service Pack 2
Running: mx7djwb2.exe; Driver: C:\DOCUME~1\BOUNLU~1\LOCALS~1\Temp\kgloypog.sys


---- System - GMER 1.0.15 ----

SSDT 83BCE050 ZwAlertResumeThread
SSDT 83BCF050 ZwAlertThread
SSDT 830E7798 ZwAllocateVirtualMemory
SSDT 83386050 ZwAssignProcessToJobObject
SSDT 83FDE700 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF4111210]
SSDT 830E6EB0 ZwCreateMutant
SSDT 830E6998 ZwCreateSymbolicLinkObject
SSDT 830F3408 ZwCreateThread
SSDT 8330F050 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF4111490]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF41119F0]
SSDT 830E78F0 ZwDuplicateObject
SSDT 830E75F8 ZwFreeVirtualMemory
SSDT 83389050 ZwImpersonateAnonymousToken
SSDT 83BCD050 ZwImpersonateThread
SSDT 83FCEFD0 ZwLoadDriver
SSDT 830E7518 ZwMapViewOfSection
SSDT 83311050 ZwOpenEvent
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwOpenKey [0xF41117A0]
SSDT 830F32F0 ZwOpenProcess
SSDT 83313050 ZwOpenProcessToken
SSDT 83310050 ZwOpenSection
SSDT 830E79C0 ZwOpenThread
SSDT 830E6A68 ZwProtectVirtualMemory
SSDT 83BD0050 ZwResumeThread
SSDT 8338A050 ZwSetContextThread
SSDT 830E73C0 ZwSetInformationProcess
SSDT 83387050 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF4111C40]
SSDT 83388050 ZwSuspendProcess
SSDT 83312050 ZwSuspendThread
SSDT 83FCC3C0 ZwTerminateProcess
SSDT 83BD7D50 ZwTerminateThread
SSDT 83BD1050 ZwUnmapViewOfSection
SSDT 830E76C8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\ftdisk.sys entry point in ".rsrc" section [0xF7344314]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6CF4360, 0x2456AE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E000A
.text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009F000A
.text C:\WINDOWS\Explorer.EXE[468] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009D000C
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0073000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0074000A
.text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0072000C
.text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 7E41BD76 5 Bytes JMP 00F8000A
.text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\wuauclt.exe[2420] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009C000A
.text C:\WINDOWS\system32\wuauclt.exe[2420] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\wuauclt.exe[2420] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device -> \Driver\atapi \Device\Harddisk0\DR0 84184D01

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@midimapper midimap.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.imaadpcm imaadp32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msadpcm msadp32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msg711 msg711.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msgsm610 msgsm32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.trspch tssoft32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.cvid iccvid.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.I420 msh263.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv31 ir32_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv32 ir32_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv41 ir41_32.ax
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iyuv iyuv_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.mrle msrle32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.msvc msvidc32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.uyvy msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yuy2 msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yvu9 tsbyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yvyu msyuv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@wavemapper msacm32.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msg723 msg723.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.M263 msh263.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.M261 msh261.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.msaudio1 msaud32.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.sl_anet sl_anet.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.iac2 C:\WINDOWS\system32\iac25_32.ax
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.iv50 ir50_32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@msacm.l3acm C:\WINDOWS\system32\l3codeca.acm
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@wave serwvdrv.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@wave1 wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@midi wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@mixer wdmaud.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.DIVX DivX.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32@vidc.yv12 DivX.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@wave rdpsnd.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@mixer rdpsnd.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@MaxBandwidth 22201
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@wavemapper msacm32.drv
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@EnableMP3Codec 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP@midimapper midimap.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs jewoyuhi.dll c:\windows\system32\bijikoko.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ftdisk.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by TheDerek81, 31 May 2010 - 11:37 AM.


BC AdBot (Login to Remove)

 


#2 TheDerek81

TheDerek81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 31 May 2010 - 02:39 PM

Anyone? I searched a few other threads on this topic and followed the steps listed (TFC, GMER, MBAM, SuperAntispyware etc.) and still no solution to this problem. Still no audio, slow comp speeds, and ever time I close Firefox it pops a crash message. Also still receiving pop up redirects. Should I just find someone with a Windows disk and reload my OS?

#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 31 May 2010 - 06:37 PM

Try this:

http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#4 TheDerek81

TheDerek81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 01 June 2010 - 08:31 PM

Thanks, that found an infected file, it was able to fix it. Still no audio, I am pretty sure the infection messed it up.

#5 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 01 June 2010 - 08:34 PM

Run another Malwarebytes scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#6 TheDerek81

TheDerek81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 01 June 2010 - 09:36 PM

Ran another Malwarebytes scan, nothing found, here is the log tho. I did look back into the quarantine logs and noticed a bunch of System Volume Control files that had been infected and discarded.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4159

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

6/1/2010 7:32:24 PM
mbam-log-2010-06-01 (19-32-24).txt

Scan type: Full scan (C:\|)
Objects scanned: 180520
Time elapsed: 54 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 01 June 2010 - 10:00 PM

Try this:

http://support.microsoft.com/kb/307918
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 TheDerek81

TheDerek81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 01 June 2010 - 11:28 PM

Ran through the troubleshoot, updated the driver, updated windows media player and updated firefox. Now I got sound using media player but still nothing when it comes to the web. Maybe Ill reinstall firefox or try IE.

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 01 June 2010 - 11:32 PM

Try uninstalling and reinstalling Flash.

http://kb2.adobe.com/cps/141/tn_14157.html
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 TheDerek81

TheDerek81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 June 2010 - 12:34 AM

Okay, uninstalled Flash and reinstalled it. Still no sound on Firefox or IE and the volume control icon is still missing. Also the System Volume Information folder under restore has two folders (RP636 and RP634) both are empty. And is the Tracking.log document normal for the SVI folder?

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 02 June 2010 - 12:44 AM

Try the fix at Kelly's Korner.

Sound Icon - Enable - #316 on the right.

Right click on it and save the .reg file to your desktop. Then, double click on the file icon (on your desktop) to merge it into your registry. You may need to reboot your computer for the changes to take affect.

With any fix like this you should create a new restore point and backup the registry first. For backing up the registry I like to use ERUNT.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 TheDerek81

TheDerek81
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:44 AM

Posted 02 June 2010 - 08:05 PM

I just backed up my reg. and did the fix like you suggested and still no icon or audio online.

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:44 AM

Posted 04 June 2010 - 12:36 AM

http://support.microsoft.com/kb/319095
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users