Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Issue


  • This topic is locked This topic is locked
6 replies to this topic

#1 Chris in NB

Chris in NB

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 07 June 2010 - 01:35 PM

Hi,

I have a windows 7 computer with AVG professional as my AV software of choice.

I knew better but I still did it. I was on facebook and my cousin emailed me an attachment with a picture. Opened it and BANG. AVG came up and said threat blocked. However, now boh ie 8 and Firefox are having websites redirected from google.

I ran AVG and no threats detected. Ran MalwareBytes in safe mode, found a bunch of threats removed them. Ran windows nornmally, same issue. Ran Spybot S&D in safe mode (wouldn't download in normal mode), found a couple of things, still the same problem.

Please see below, any help would be appreciated.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows 7 Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 01/17/2010 10:45:46 AM
System Uptime: 06/07/2010 2:31:50 PM (0 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P55M-UD2
Processor: Intel® Core™ i5 CPU 750 @ 2.67GHz | Socket 1156 | 2793/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 466 GiB total, 428.995 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 440.853 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
P: is NetworkDisk (NTFS) - 75 GiB total, 22.227 GiB free.
S: is NetworkDisk (NTFS) - 75 GiB total, 22.227 GiB free.
T: is NetworkDisk (NTFS) - 75 GiB total, 22.227 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Cruzer Micro
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_0.1#20051739920CEAB2102E&0#
Manufacturer: SanDisk
Name: F:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_CRUZER_MICRO&REV_0.1#20051739920CEAB2102E&0#
Service: WUDFRd

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Flash Reader
Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_MULTI&PROD_FLASH_READER&REV_1.00#058F0O1111B1&0#
Manufacturer: Multi
Name: G:\
PNP Device ID: WPDBUSENUMROOT\UMB\2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_MULTI&PROD_FLASH_READER&REV_1.00#058F0O1111B1&0#
Service: WUDFRd

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG 9.0
Bonjour

+DDS (Ver_10-03-17.01) - NTFSx86
Run by Chris at 14:43:20.66 on 06/07/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3579.2618 [GMT -3:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\sYSteM32\SvchOst.eXE -k ppdrv
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\JFaxMailNTHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Users\Chris\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Google Update] "c:\users\chris\appdata\local\google\update\GoogleUpdate.exe" /c
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [JFaxMailNTHelper] c:\windows\JFaxMailNTHelper.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_19\bin\jusched.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\vhpy27mz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\users\chris\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R?2 ppdrv;ppdrv;c:\windows\system32\SvchOst.eXE -k ppdrv [2009-7-13 20992]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-1-18 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-1-18 216200]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-1-18 29584]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-1-18 242896]
R1 PDRV;PDRV;c:\windows\system32\drivers\pdrv.sys [2010-6-7 59008]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-5 308064]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-7 1153368]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-6-10 139776]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-19 135664]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-5 1343400]

=============== Created Last 30 ================

2010-06-07 16:44:36 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 16:44:36 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 13:18:49 59008 ----a-w- c:\windows\system32\drivers\pdrv.sys
2010-06-07 13:18:49 51200 ----a-w- c:\windows\system32\pdrv.dll
2010-06-01 13:38:55 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-25 20:15:00 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 17:38:20 0 d-----w- c:\programdata\WinZip
2010-05-12 01:18:58 740864 ----a-w- c:\windows\system32\inetcomm.dll

==================== Find3M ====================

2010-06-01 11:34:55 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-29 18:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 18:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-22 12:28:17 126524 ----a-w- c:\windows\Visual CADD 5.0 Uninstaller.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-02-06 07:18:45 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-23 07:18:49 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-01-23 07:18:49 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-01-23 07:18:49 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-01-23 07:18:49 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 14:43:45.61 ===============++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-07 14:58:50
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\Chris\AppData\Local\Temp\kglcqpod.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2EAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2E104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2E3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E172D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E16898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2E1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2E958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2E6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2EF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2F1A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A47599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A6BF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9281D000, 0x2D5378, 0xE8000020]
.text peauth.sys 9DA33C9D 28 Bytes [C4, A7, 7F, E0, 80, 15, C4, ...]
.text peauth.sys 9DA33CC1 28 Bytes [C4, A7, 7F, E0, 80, 15, C4, ...]
PAGE peauth.sys 9DA39B9B 32 Bytes [09, 52, A6, E1, 37, 5A, EC, ...]
PAGE peauth.sys 9DA39BBC 39 Bytes [D5, 01, EB, DA, 66, ED, 34, ...]
PAGE peauth.sys 9DA39BEC 111 Bytes JMP C166CA22
PAGE ...

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 0017000A
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 0016000A
.text C:\Windows\system32\svchost.exe[1328] ole32.dll!CoCreateInstance 76A357FC 5 Bytes JMP 0047000A
.text C:\Windows\system32\svchost.exe[1328] USER32.dll!GetCursorPos 761DC198 5 Bytes JMP 0133000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 0014000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 0015000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 0013000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 021082FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!CallNextHookEx 761DCC8F 5 Bytes JMP 020E9D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!CreateWindowExW 761E0E51 5 Bytes JMP 020F80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 020A45DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!DialogBoxIndirectParamW 76204AA7 5 Bytes JMP 0221F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!DialogBoxParamW 7620564A 5 Bytes JMP 02014B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!DialogBoxParamA 7621CF6A 5 Bytes JMP 0221F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!DialogBoxIndirectParamA 7621D29C 5 Bytes JMP 0221F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!MessageBoxIndirectA 7622E8C9 5 Bytes JMP 0221F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!MessageBoxIndirectW 7622E9C3 5 Bytes JMP 0221F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!MessageBoxExA 7622EA29 5 Bytes JMP 0221F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] USER32.dll!MessageBoxExW 7622EA4D 5 Bytes JMP 0221F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] ole32.dll!OleLoadFromStream 769E5B88 5 Bytes JMP 0221F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1880] ole32.dll!CoCreateInstance 76A357FC 5 Bytes JMP 020F8BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 0015000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 0016000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 0013000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!CreateWindowExW 761E0E51 5 Bytes JMP 01FF80F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!DialogBoxIndirectParamW 76204AA7 5 Bytes JMP 0211F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!DialogBoxParamW 7620564A 5 Bytes JMP 01F14B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!DialogBoxParamA 7621CF6A 5 Bytes JMP 0211F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!DialogBoxIndirectParamA 7621D29C 5 Bytes JMP 0211F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!MessageBoxIndirectA 7622E8C9 5 Bytes JMP 0211F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!MessageBoxIndirectW 7622E9C3 5 Bytes JMP 0211F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!MessageBoxExA 7622EA29 5 Bytes JMP 0211F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2308] USER32.dll!MessageBoxExW 7622EA4D 5 Bytes JMP 0211F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Windows\Explorer.EXE[3408] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 002C000A
.text C:\Windows\Explorer.EXE[3408] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 002D000A
.text C:\Windows\Explorer.EXE[3408] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 002B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] ntdll.dll!NtProtectVirtualMemory 77085360 5 Bytes JMP 0014000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] ntdll.dll!NtWriteVirtualMemory 77085EE0 5 Bytes JMP 0015000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] ntdll.dll!KiUserExceptionDispatcher 77086448 5 Bytes JMP 0013000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!UnhookWindowsHookEx 761DCC7B 5 Bytes JMP 021782FA C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!CallNextHookEx 761DCC8F 5 Bytes JMP 02159D00 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!CreateWindowExW 761E0E51 5 Bytes JMP 021680F7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!SetWindowsHookExW 761E210A 5 Bytes JMP 021145DB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!DialogBoxIndirectParamW 76204AA7 5 Bytes JMP 0228F218 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!DialogBoxParamW 7620564A 5 Bytes JMP 02084B7F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!DialogBoxParamA 7621CF6A 5 Bytes JMP 0228F1B5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!DialogBoxIndirectParamA 7621D29C 5 Bytes JMP 0228F27B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!MessageBoxIndirectA 7622E8C9 5 Bytes JMP 0228F14A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!MessageBoxIndirectW 7622E9C3 5 Bytes JMP 0228F0DF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!MessageBoxExA 7622EA29 5 Bytes JMP 0228F07D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] USER32.dll!MessageBoxExW 7622EA4D 5 Bytes JMP 0228F01B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] ole32.dll!OleLoadFromStream 769E5B88 5 Bytes JMP 0228F576 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5388] ole32.dll!CoCreateInstance 76A357FC 5 Bytes JMP 02168BE5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000043 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8638AEC5

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 10 June 2010 - 07:57 AM

Hi Chris in NB,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please download TDSSKiller.exe to your desktop.
Run the tool, if needed reboot and post the log it makes on the root of C drive (TDSSKiller-date-time.txt).

#3 Chris in NB

Chris in NB
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 10 June 2010 - 08:46 AM

First of all, thank you for you assistance.

Just as a note, I tried to download the file from the infected machine, and it wouldn't do it. Went to another, and no issue.

I've included the report as an attachment.

Attached Files



#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 10 June 2010 - 08:53 AM

The rootkit is taken care of. thumbup2.gif
  1. You have the latest version of Java (Java 6 Update 20) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.
    Please uninstall all the older verions.

  2. Please download OTC and save it to Desktop.
    • Make sure you have internet connection.
    • Right-click to run it as administrator.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.

  3. Open your Malwarebytes' Anti-Malware.
    • First update it, to do that under the Update tab press "Check for Updates".
    • Under Scanner tab select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log.

    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


  4. Tell me how is your computer running now.


#5 Chris in NB

Chris in NB
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:10 PM

Posted 10 June 2010 - 09:26 AM

clapping.gif

It appears to be beat. I can now do serches with no re-directs and overall speed has returned to normal.

Thank you.

Attached Files



#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 10 June 2010 - 09:44 AM

It looks good. thumbup2.gif
  1. You delete the tools or logs from your computer.

  2. First Set a New Restore Point then Remove the Old Restore Points to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

    To set a new restore point:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

    To remove the old restore points:
    • Go to Start > Run then type: Cleanmgr in the box and click "OK".
    • You get a window to select the drive to clean, the default is already set to (C:) drive. Click OK.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
    • Click OK and Yes.

Happy Surfing Chris. smile.gif

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:11:10 PM

Posted 15 June 2010 - 07:55 AM


This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users