Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/CryptPopm.Gen?


  • This topic is locked This topic is locked
2 replies to this topic

#1 HopeA

HopeA

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:09 AM

Posted 17 January 2011 - 12:22 PM

I run 3 browsers on my system and all have been affected; IE, Firefox and Google Chrome. All but Firefox are now disabled. However, if I try to go to certain sites...or post to this one...I'm blocked. I had to use web mail to email the logs from the affected system to this non-infected one so I could post. I'm getting random pops and redirects. System is slow to start and once in Windows...it takes quite some time for icons to appear. It's also having troubles shutting down forcing me to hit the power. I decided it would best to leave it on but it's worsening. I'm now blocked from help files, etc.

I would really appreciate your expertise!

Please see the attached file and the DDS and gmer files below:


DDS (Ver_10-12-12.02) - NTFSx86
Run by Hope at 9:59:39.00 on Mon 01/17/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\DigitalPersona\Bin\DPWinLct.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Livescribe\PenComm\PenCommService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\DigitalPersona\Bin\DPFUSMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Hope\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
C:\Documents and Settings\Hope\My Documents\Downloads\Defogger(2).exe
C:\Documents and Settings\Hope\My Documents\Downloads\dds(2).scr
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - No File
uRun: [MotiveBBM] -AppKey=ATT-SST -URL=\\Start.htm?vendorID=ATT-SST,ConnectivityRequired=true,flowId=HOMEPAGE -windowcontext=ATT-SST
uRun: [Google Update] "c:\documents and settings\hope\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} - hxxp://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1199900673546
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} - hxxp://chat.yahoo.com/cab/yuplapp.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Notify: DPWLN - c:\windows\system32\DPWLEvHd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hope\applic~1\mozilla\firefox\profiles\byaw3oxg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\documents and settings\hope\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true

============= SERVICES / DRIVERS ===============

R? Apache2.2;Apache2.2
R? EverestDriver;Lavalys EVEREST Kernel Driver
R? Lavasoft Kernexplorer;Lavasoft helper driver
R? Mnespnku2lds;Mnespnku2lds
R? PulseUsb;Livescribe Smartpen USB Driver
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgio;avgio
S? avgntflt;avgntflt
S? dpK0Bx01;Fingerprint Reader Filter Driver
S? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
S? Lbd;Lbd
S? NVHDA;Service for NVIDIA High Definition Audio Driver
S? PenCommService;Livescribe Smartpen Service
S? usbdpfp;Fingerprint Reader Class Driver

=============== Created Last 30 ================

2011-01-16 20:42:17 212480 ----a-w- c:\windows\Npyjyb.exe
2011-01-16 20:42:10 212480 ----a-w- c:\windows\Npyjya.exe
2011-01-16 20:41:59 69632 --sha-r- c:\windows\system32\commandf.dll
2011-01-05 22:05:37 -------- d-----w- c:\docume~1\hope\locals~1\applic~1\Temp
2010-12-31 23:56:13 -------- d-sha-r- C:\cmdcons
2010-12-31 20:22:24 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-12-31 20:12:22 -------- d-----w- c:\docume~1\hope\locals~1\applic~1\Sunbelt Software
2010-12-31 20:07:21 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-28 02:22:32 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-12-28 02:22:32 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-12-28 02:14:20 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-12-28 02:13:28 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-12-28 02:06:43 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-12-28 02:02:05 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-12-28 01:58:58 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-28 01:50:10 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-12-28 01:39:18 177664 -c----w- c:\windows\system32\dllcache\wintrust.dll
2010-12-28 01:38:27 86016 -c----w- c:\windows\system32\dllcache\cabview.dll
2010-12-28 01:38:17 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-27 00:55:48 -------- d-----w- c:\docume~1\alluse~1\applic~1\nNcId06300

==================== Find3M ====================

2010-12-03 09:05:33 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-08 07:20:24 89088 ----a-w- c:\windows\MBR.exe
2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600JS-75NCB1 rev.10.02E01 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-17

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A555555]<<
c:\docume~1\hope\locals~1\temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a55b7b0]; MOV EAX, [0x8a55b82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A607AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A51BC00]
\Driver\atapi[0x8A6213B0] -> IRP_MJ_CREATE -> 0x8A555555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&289960e9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A55539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 10:01:34.86 ===============



GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-17 10:43:52
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD1600JS-75NCB1 rev.10.02E01
Running: gmer.exe; Driver: C:\DOCUME~1\Hope\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT A593FE76 ZwCreateKey
SSDT A593FE6C ZwCreateThread
SSDT A593FE7B ZwDeleteKey
SSDT A593FE85 ZwDeleteValueKey
SSDT A593FE8A ZwLoadKey
SSDT A593FE58 ZwOpenProcess
SSDT A593FE5D ZwOpenThread
SSDT A593FE94 ZwReplaceKey
SSDT A593FE8F ZwRestoreKey
SSDT A593FE80 ZwSetValueKey
SSDT A593FE67 ZwTerminateProcess

Code \??\C:\DOCUME~1\Hope\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5FEE3A0, 0x59FFE5, 0xE8000020]
? C:\DOCUME~1\Hope\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Hope\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Hope\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DB000A
.text C:\Documents and Settings\Hope\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DC000A
.text C:\Documents and Settings\Hope\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[176] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DA000C
.text C:\Program Files\internet explorer\iexplore.exe[1092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DE000A
.text C:\Program Files\internet explorer\iexplore.exe[1092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\Program Files\internet explorer\iexplore.exe[1092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DD000C
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD145 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254696 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDBA0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[1092] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E5370 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\explorer.exe[1176] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\explorer.exe[1176] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\explorer.exe[1176] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C0000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 011AB1A3
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 011ABF35
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!send 71AB4C27 5 Bytes JMP 011ABC3D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 011ABE4E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 011AB0E6
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!recv 71AB676F 2 Bytes JMP 011ABCE3
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!recv + 3 71AB6772 2 Bytes [6F, 8F]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 011ABD8D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] WS2_32.dll!WSAAsyncGetHostByName 71ABE99D 5 Bytes JMP 011AB56A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 011AC1A3
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 011AC6DD
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 011AC0D6
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 011AC5F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 011ACA94
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 011ACB5E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 011AB645
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 011AC510
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 011AC34C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 011ABFC3
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 011AC270
.text C:\Program Files\Mozilla Firefox\firefox.exe[2548] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 011AC428
.text C:\Program Files\internet explorer\iexplore.exe[2932] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DD000A
.text C:\Program Files\internet explorer\iexplore.exe[2932] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A
.text C:\Program Files\internet explorer\iexplore.exe[2932] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A3000C
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB44 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E4FEF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4F21 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E4F8C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4DF2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4E54 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5052 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2932] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4EB6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0193000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0194000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0192000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 013DC1A3
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 013DC6DD
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 013DC0D6
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 013DC5F8
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 013DCA94
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 013DCB5E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 013DB645
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] USER32.dll!DrawTextExW 7E42B415 5 Bytes JMP 013DC510
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] USER32.dll!DrawTextW 7E42D7E2 5 Bytes JMP 013DC34C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] USER32.dll!SetClipboardData 7E430F9E 5 Bytes JMP 013DBFC3
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] USER32.dll!DrawTextA 7E43C702 5 Bytes JMP 013DC270
.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] USER32.dll!DrawTextExA 7E43C739 5 Bytes JMP 013DC428

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A55539B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A55539B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-4 8A55539B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A55539B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8A55539B
Device \Device\Ide\IdeDeviceP1T0L0-17 -> \??\IDE#DiskWDC_WD1600JS-75NCB1_____________________10.02E01#5&289960e9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:09 AM

Posted 18 January 2011 - 03:21 PM

Good evening. :)

Download TDSSKiller.zip from Kaspersky from here and save it to your Desktop.

  • You will then need to extract the file(s) from the zipped folder.
  • To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
    In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
    In the final window, click on Finish

  • Please close all open programs as this may result in a reboot being necessary.
  • Double click TDSSKiller.exe to begin.
  • Click Start scan and allow the tool to do just that.
  • One the scan has completed, if the tool has identified anything allow it to carry out it's default action(s) - you'll need to click Continue where appropriate.
  • Finally, if it prompts you to reboot your machine, please click Reboot Now and ensure that your machine does so.
  • If the scan finds nothing, please click the Report button and let me have a copy of the text file that opens.
  • If you reboot your machine, the log, which i'd like to see, will be located at the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt.
    Please check that you get the one with the right date and time. :)

So long, and thanks for all the fish.

 

 


#3 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:09 AM

Posted 23 January 2011 - 03:08 PM

As there has been no response for five days this thread is now closed.

So long, and thanks for all the fish.

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users