Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problem since using Revo Uninstaller


  • This topic is locked This topic is locked
3 replies to this topic

#1 geotan

geotan

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:12:26 PM

Posted 30 October 2010 - 12:49 PM

My problem started with Windows Live Mail
http://www.bleepingcomputer.com/forums/topic356743.html/page__pid__1995999#entry1995999

As suggested, I used Revo Uninstaller but then had the problems in the above link.


ark.txt log - sorry but it would not let me add as an attachment.

GMER 1.0.15.15477 - http://www.gmer.net
Rootkit scan 2010-10-30 18:33:22
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\GEORGE~1\AppData\Local\Temp\awddrfob.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!CreateWindowExW 77411305 5 Bytes JMP 7120DB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!DialogBoxParamW 774310B0 5 Bytes JMP 711354F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!DialogBoxIndirectParamW 77432EF5 5 Bytes JMP 71305027 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!DialogBoxParamA 77448152 5 Bytes JMP 71304FC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!DialogBoxIndirectParamA 7744847D 5 Bytes JMP 7130508A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!MessageBoxIndirectA 7745D4D9 5 Bytes JMP 71304F59 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!MessageBoxIndirectW 7745D5D3 5 Bytes JMP 71304EEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!MessageBoxExA 7745D639 5 Bytes JMP 71304E8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[192] USER32.dll!MessageBoxExW 7745D65D 5 Bytes JMP 71304E2A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!CreateDialogParamW 774072A2 5 Bytes JMP 7120DED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!GetAsyncKeyState 7740863C 5 Bytes JMP 71128F0F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!SetWindowsHookExW 774087AD 5 Bytes JMP 71209AED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!CallNextHookEx 77408E3B 5 Bytes JMP 711FD14D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!UnhookWindowsHookEx 774098DB 5 Bytes JMP 71174686 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!EnableWindow 7740CD8B 5 Bytes JMP 7120DD5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!CreateWindowExW 77411305 5 Bytes JMP 7120DB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!GetKeyState 77418CB1 5 Bytes JMP 7120D30B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!IsDialogMessageW 77420745 5 Bytes JMP 71135A07 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!CreateDialogParamA 774217AA 5 Bytes JMP 71305C93 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!IsDialogMessage 77421847 5 Bytes JMP 7130552F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!CreateDialogIndirectParamA 774226F1 5 Bytes JMP 71305CCA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!CreateDialogIndirectParamW 77429A62 5 Bytes JMP 71305D01 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!SetKeyboardState 77430987 5 Bytes JMP 7130589E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!DialogBoxParamW 774310B0 5 Bytes JMP 711354F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!DialogBoxIndirectParamW 77432EF5 5 Bytes JMP 71305027 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!SendInput 77432F75 5 Bytes JMP 7130645B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!EndDialog 7743326E 5 Bytes JMP 71137EAE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!SetCursorPos 77446FB2 5 Bytes JMP 713064AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!DialogBoxParamA 77448152 5 Bytes JMP 71304FC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!DialogBoxIndirectParamA 7744847D 5 Bytes JMP 7130508A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!MessageBoxIndirectA 7745D4D9 5 Bytes JMP 71304F59 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!MessageBoxIndirectW 7745D5D3 5 Bytes JMP 71304EEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!MessageBoxExA 7745D639 5 Bytes JMP 71304E8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!MessageBoxExW 7745D65D 5 Bytes JMP 71304E2A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] USER32.dll!keybd_event 7745D972 5 Bytes JMP 713067DF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] SHELL32.dll!SHRestricted + D95 765489A8 4 Bytes [4D, 30, 90, 6D]
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] SHELL32.dll!SHRestricted + D9D 765489B0 8 Bytes [57, 2F, 90, 6D, 9C, 5B, 8F, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] ole32.dll!OleLoadFromStream 774C1E80 5 Bytes JMP 7130538F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1992] ole32.dll!CoCreateInstance 774F9F3E 5 Bytes JMP 7120DBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!CreateDialogParamW 774072A2 5 Bytes JMP 7120DED0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!GetAsyncKeyState 7740863C 5 Bytes JMP 71128F0F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!SetWindowsHookExW 774087AD 5 Bytes JMP 71209AED C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!CallNextHookEx 77408E3B 5 Bytes JMP 711FD14D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!UnhookWindowsHookEx 774098DB 5 Bytes JMP 71174686 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!EnableWindow 7740CD8B 5 Bytes JMP 7120DD5D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!CreateWindowExW 77411305 5 Bytes JMP 7120DB44 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!GetKeyState 77418CB1 5 Bytes JMP 7120D30B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!IsDialogMessageW 77420745 5 Bytes JMP 71135A07 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!CreateDialogParamA 774217AA 5 Bytes JMP 71305C93 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!IsDialogMessage 77421847 5 Bytes JMP 7130552F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!CreateDialogIndirectParamA 774226F1 5 Bytes JMP 71305CCA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!CreateDialogIndirectParamW 77429A62 5 Bytes JMP 71305D01 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!SetKeyboardState 77430987 5 Bytes JMP 7130589E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!DialogBoxParamW 774310B0 5 Bytes JMP 711354F5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!DialogBoxIndirectParamW 77432EF5 5 Bytes JMP 71305027 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!SendInput 77432F75 5 Bytes JMP 7130645B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!EndDialog 7743326E 5 Bytes JMP 71137EAE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!SetCursorPos 77446FB2 5 Bytes JMP 713064AF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!DialogBoxParamA 77448152 5 Bytes JMP 71304FC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!DialogBoxIndirectParamA 7744847D 5 Bytes JMP 7130508A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!MessageBoxIndirectA 7745D4D9 5 Bytes JMP 71304F59 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!MessageBoxIndirectW 7745D5D3 5 Bytes JMP 71304EEE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!MessageBoxExA 7745D639 5 Bytes JMP 71304E8C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!MessageBoxExW 7745D65D 5 Bytes JMP 71304E2A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] USER32.dll!keybd_event 7745D972 5 Bytes JMP 713067DF C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] SHELL32.dll!SHRestricted + D95 765489A8 4 Bytes [4D, 30, 90, 6D]
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] SHELL32.dll!SHRestricted + D9D 765489B0 8 Bytes [57, 2F, 90, 6D, 9C, 5B, 8F, ...]
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] ole32.dll!OleLoadFromStream 774C1E80 5 Bytes JMP 7130538F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4088] ole32.dll!CoCreateInstance 774F9F3E 5 Bytes JMP 7120DBA0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\fastfat \Fat 815B1A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\iexplore@Count 17720
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7C028FC0-6AD6-DB1B-9A8E-5A1718E348AA}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7C028FC0-6AD6-DB1B-9A8E-5A1718E348AA}@hahflhmiooljikoa 0x6B 0x61 0x6A 0x64 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7C028FC0-6AD6-DB1B-9A8E-5A1718E348AA}@ianejfinmdbcchpgch 0x6B 0x61 0x6A 0x64 ...

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 07 November 2010 - 05:15 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 geotan

geotan
  • Topic Starter

  • Members
  • 374 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bromsgrove, UK
  • Local time:12:26 PM

Posted 07 November 2010 - 08:40 AM

Thank you but the problem has resolved itself.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:26 PM

Posted 07 November 2010 - 09:24 AM

I'm glad to hear that. :)

I will close this topic. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users