Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search engine redirects and wireless connect drop out


  • This topic is locked This topic is locked
3 replies to this topic

#1 tjduffy25

tjduffy25

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 21 October 2010 - 10:08 PM

I have a couple things going on with my laptop computer right now and I am not sure whether they are related or not. First, I have search engine links that redirect to advertisements. This happens with google and other search engines and happens on both Firefox and IE. I have seen many posts on this issue throughout this forum and on the web but haven't found a clear solution.
Secondly, I also tabs that will randomly open. Sometimes these tabs open just to a google search page and other times they are for advertisements.
Thirdly, I get a error message that states: "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience." After this, my toolbar at the bottom of my screen will briefly change to the old Windows 2000 toolbar. A few minutes later (usually within 5 or 10 min), my wireless internet connect drops out. The only way I have found to be able to reconnect, is to restart my computer. Also, if I am using my computer and just disable my wireless connection, I have yet to receive this error.

I would really appreciate any help or insight on these issues.

I am unable to obtain scripts from the DDS. I double click on the dds.scr icon and the initial information screen appears but after extended periods of time the notepad windows never open. I assume that something is blocking it from running but I have Avast! free Antivirus and SUPERAntiSpyware free edition disabled when I attempt to run the scan.


With the GMER log I am also having an issue. I have three times attempted to run the GMER program. The first two this happened: I set it up as the instructions indicate and then I click scan and the program begins to scan. After awhile my computer goes to a blank screen stating: "A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:
Check to be sure you have adequate disk space. If a driver is identified in the stop message, disable the drier or check with the manufacturer for driver updates. Try changing video adapters.
Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup options, and then select Safe Mode.

Technical information:

*** STOP: 0x0000008E (0xC0000005, 0xF727C196, 0xF79FDBF4,0x00000000)

*** IASTOR.SYS - Address F727C196 base at F726D000, Datestamp 434d5ede

Beginning dump of physical memory.
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance."

The third time I attempted to run the gmer.exe program, I got an error roughly 30 seconds after the scan started that stated: "gmer.exe has encountered a problem and needs to close. We are sorry for the inconvenience."
the error signiture in the technical report stated:
APPNAME: gmer.exe AppVer:1.0.15.15281 ModName: gmer.exe
ModVer: 1.0.15.15281 Offset: 0005c887


I appreciate any and all help. Thanks in advance!

Tyler

BC AdBot (Login to Remove)

 


#2 tjduffy25

tjduffy25
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 27 October 2010 - 08:59 PM

Hi,
I have the search engine links that redirect to advertisements. This happens with google as well as other search engines and happens on both Firefox and IE. Sometimes, new tabs will randomly open to advertising sights and sometime the random tab will be to google.
I have an additional issue that I am not sure whether it is related or not. If I am connected to the internet, after a period of being online I get an error message that states: "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience." After this, my toolbar at the bottom of my screen will briefly changes to an old looking toolbar and then back to normal. A few minutes later (usually within 5 or 10 min), my wireless internet connect drops out. My wireless connect has me connected to "Access Point." The only way I have found to be able to reconnect, is to restart my computer. Also, if I am using my computer and just disable my wireless connection, I have yet to receive this error.

I have Avast! Antivirus and SUPERAntiSpyware and have ran scans wiith those tools but have yet to solve my problem. I would really appreciate any help or insight on these issues.

I am unable to obtain scripts from the DDS. I double click on the dds.scr icon and the initial information screen appears but after extended periods of time the notepad windows never open.

My GMER log:
Attached File  ark.txt   12.39KB   0 downloads
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-27 20:00:52
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\ufldraob.sys


---- System - GMER 1.0.15 ----

SSDT 8575C768 ZwAlertResumeThread
SSDT 8575C5D8 ZwAlertThread
SSDT 85794E80 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xA2467CF0]
SSDT 86180EF0 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xA2467BAC]
SSDT 8574A008 ZwCreateMutant
SSDT 8654B360 ZwCreateThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xA2468160]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xA246808A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xA2467782]
SSDT 8575B790 ZwFreeVirtualMemory
SSDT 8579B190 ZwImpersonateAnonymousToken
SSDT 862281B0 ZwImpersonateThread
SSDT 85778210 ZwMapViewOfSection
SSDT 8570C4B0 ZwOpenEvent
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xA2467C86]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xA24676C2]
SSDT 8575B440 ZwOpenProcessToken
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xA2467726]
SSDT 8575BD68 ZwOpenThreadToken
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xA2467DA6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA246822E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xA2467D66]
SSDT 8575A460 ZwResumeThread
SSDT 8575BF08 ZwSetContextThread
SSDT 8575BBE8 ZwSetInformationProcess
SSDT 8575C080 ZwSetInformationThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xA2467EE6]
SSDT 856BE4B0 ZwSuspendProcess
SSDT 8575C448 ZwSuspendThread
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xA25A6320]
SSDT 8575C2B8 ZwTerminateThread
SSDT 8575BA60 ZwUnmapViewOfSection
SSDT 8578C770 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2F74 80504810 5 Bytes CALL 00D5BDD0
.text ntkrnlpa.exe!ZwCallbackReturn + 2F7A 80504816 2 Bytes [75, 85] {JNZ 0xffffffffffffff87}
.rsrc C:\WINDOWS\system32\drivers\ql10wnt.sys entry point in ".rsrc" section [0xF7545C14]
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF60E5EBF]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[368] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP }
.text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EE000A
.text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EF000A
.text C:\WINDOWS\Explorer.EXE[520] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00ED000C
.text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D3000A
.text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D2000C
.text C:\WINDOWS\System32\svchost.exe[1248] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E7000A
.text C:\WINDOWS\System32\svchost.exe[1248] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\wuauclt.exe[3544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0115000A
.text C:\WINDOWS\system32\wuauclt.exe[3544] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0116000A
.text C:\WINDOWS\system32\wuauclt.exe[3544] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0114000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 865AFEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\ql10wnt.sys suspicious modification
File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Edited by Orange Blossom, 27 October 2010 - 09:13 PM.
Merged topics. ~ OB


#3 tjduffy25

tjduffy25
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:22 PM

Posted 28 October 2010 - 10:58 PM

Hi,

This thread can be closed! I seemed to have solved my problem by using the bleepingcomputer.com guide "How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller" located here. I am not sure why it took me so long to find the guide, but thanks to Grinler for taking the time to write it!!

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:22 AM

Posted 29 October 2010 - 04:47 PM

As this issue appears to be resolved I am closing the topic. Please send me (or any other Moderator) a Personal Message (PM) if you would like the topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users