Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning: possible TDL3 rootkit infection !


  • This topic is locked This topic is locked
2 replies to this topic

#1 DoreenL

DoreenL

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 20 February 2011 - 03:05 PM

Please help me determine if I should try and remove the rootkit infection or wipe the hard disc and start over.

It is my daughters laptop, she thought she was protected with av software but somehow got this infection. I have scanned and removed various items but I can't get rid of it all.

It will not let me access windows update and I get search redirects on google.

When I was running GMER it gave me the warning that "GMER has found system modification caused by rootkit activity"

I hope I am inserting the right logs into this message.
Thank you very much for any assistance you can provide.


DDS (Ver_10-12-12.02) - NTFSx86
Run by User at 13:26:47.14 on 20/02/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.2.1033.18.1022.493 [GMT -6:00]

AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\xu24t95a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Redirect Remover: {fe0258ab-4f74-43a1-8781-bcdf340f9ee9} - %profile%\extensions\{fe0258ab-4f74-43a1-8781-bcdf340f9ee9}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl6cd31eb3;MpKsl6cd31eb3;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{82651188-c4ea-41c3-813f-9781944f9ece}\MpKsl6cd31eb3.sys [2011-2-20 28752]
R3 EMCR;EMCR;c:\windows\system32\drivers\EMCR7SK.sys [2009-3-2 68480]
RUnknown SASDIFSV;SASDIFSV; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S0 biuu;biuu;c:\windows\system32\drivers\iclun.sys --> c:\windows\system32\drivers\iclun.sys [?]
S0 ifjjraup;ifjjraup;c:\windows\system32\drivers\koalhhe.sys --> c:\windows\system32\drivers\koalhhe.sys [?]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2008-4-14 14336]

=============== Created Last 30 ================

2011-02-20 18:34:27 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{82651188-c4ea-41c3-813f-9781944f9ece}\MpKsl6cd31eb3.sys
2011-02-20 18:22:41 -------- d-----w- c:\program files\CCleaner
2011-02-20 17:19:10 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-20 17:19:10 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-02-20 05:46:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-20 02:25:48 32576 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2011-02-20 02:14:48 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-02-20 02:14:48 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-20 02:14:48 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-02-20 00:07:50 -------- d-----w- c:\windows\system32\NtmsData
2011-02-19 23:42:59 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{82651188-c4ea-41c3-813f-9781944f9ece}\MpKsl5183709b.sys
2011-02-19 23:34:09 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{82651188-c4ea-41c3-813f-9781944f9ece}\MpKsl8d99c39e.sys
2011-02-19 20:57:54 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Temp
2011-02-19 20:57:50 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Google
2011-02-19 20:37:26 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{82651188-c4ea-41c3-813f-9781944f9ece}\mpengine.dll
2011-02-19 20:37:26 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-19 20:31:45 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-19 20:04:05 54016 ----a-w- c:\windows\system32\drivers\vbgnws.sys
2011-02-19 19:29:08 -------- d-----w- c:\docume~1\user\applic~1\Malwarebytes
2011-02-19 19:28:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-19 19:28:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-19 19:28:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-19 19:28:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-19 03:26:32 0 ----a-w- c:\documents and settings\user\1.bat
2011-02-19 03:10:29 -------- d-----w- c:\docume~1\alluse~1\applic~1\gPjNdCo08200
2011-02-13 00:32:11 -------- d-----w- c:\docume~1\user\locals~1\applic~1\Adobe
2011-01-30 15:45:12 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-01-30 15:45:12 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08:45 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08:45 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08:45 17408 ----a-w- c:\windows\system32\corpol.dll
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:25 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 23:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160821A rev._3.ALE -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x866FF439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x867057b8]; MOV EAX, [0x86705834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86779AB8]
3 CLASSPNP[0xF78C3FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8676D630]
\Driver\atapi[0x86718A08] -> IRP_MJ_CREATE -> 0x866FF439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST9160821A_______________________________3.ALE__#5&26bbb134&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x866FF27F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:28:12.06 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-20 13:50:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST9160821A rev._3.ALE
Running: gmer.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\uwwyrkog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0xB5F25620]

---- Kernel code sections - GMER 1.0.15 ----

? C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS The system cannot find the file specified. !
? C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS The system cannot find the file specified. !
? C:\DOCUME~1\User\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EE000A
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00EF000A
.text C:\WINDOWS\System32\svchost.exe[1140] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D9000C
.text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00FA000A
.text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 00FB000A
.text C:\WINDOWS\System32\svchost.exe[1140] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 00FC000A
.text C:\WINDOWS\System32\svchost.exe[1140] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 010A000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DC000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DD000A
.text C:\WINDOWS\Explorer.EXE[2004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D6000C
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2084] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2976] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3316] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company)

Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST9160821A_______________________________3.ALE__#5&26bbb134&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [728] 0x10000000

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\system@spotxchange[2].txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@filmannex[2].txt 726 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt 899 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@altitudedigitalpartners[2].txt 207 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S6EB0PP2\adStreamJSController[1].htm 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 DoreenL

DoreenL
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:48 AM

Posted 20 February 2011 - 08:58 PM

Thanks to your tutorial I was able to remove this infection. Thanks very much. If I have trouble again I know where to come.

#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:07:48 AM

Posted 21 February 2011 - 12:59 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users