Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit virus, serious crisis here


  • Please log in to reply
11 replies to this topic

#1 cptnick

cptnick

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 03 June 2011 - 12:03 PM

I have been infected by some sort of Rootkit virus. The computer it is affecting is the server for our POS system at our restaurant. In 4 hours the restaurant is going to be flooded with people and we will not have any means to serve them if it doesn't get fixed.

Here is the situation. I noticed the computer started playing some random audio ads for Lysol, etc, then a bunch of weird ads popped up. Having a lot of experience fixing computers I got them to go away so that I could run Malwarebytes and fix the issue. Malwarebytes went through and found 39 infections, removed them and the system rebooted. The problem is, it is still blocking a program trying to access the internet, and after about 5 minutes the computer crashes to bluescreen and reboots. I tried rebooting in safe mode and running Malwarebytes again but it found nothing. I tried running CCleaner, it fixed over 200 issues in the registry, yet the problem still continues. I tried booting to safe mode again and running combofix on it, it detects the rootkit virus, reboots, attempts to go through the steps and it can't get through them without the computer crashing yet again. I am in over my head on this one, please help!!

UPDATE: I used GMER to scan my computer, it came up with a long list of suspicious(I think) files, one of which was highlighted in red(the program isn't very user friendly). I used the 'restore' command on it, it said that it had been removed, I rebooted, and the computer stopped crashing. I ran malwarebytes and it couldn't find anything. I ran combofix and it didn't find it this time. My question is, how do you know if you removed all of the virus, and how do you know if it didn't damage any files?

Edited by cptnick, 03 June 2011 - 09:27 PM.
Mod Edit: Moved From Win7 AII - AA


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 03 June 2011 - 02:11 PM

Hello, please follow the steps in this guide

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 04 June 2011 - 07:05 AM

ok I used the Kaspersky scanner, it only turned up 1 suspicious file, c:\windows\system32\drivers\secdrv.sys, I researched it and it appears to be a harmless file. The scanner wasn't able to find any infection. Is my computer clean?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 04 June 2011 - 08:39 AM

Did the scanner tell you that secdrv.sys was infected or only that it was suspicious/locked?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 04 June 2011 - 11:10 AM

that it was suspicious.. it said no infections detected at the end of the scan after I clicked 'continue.'

Also scanned the system with GMER and emailed a log to info@gmer.net and he said the log was clean. Have you used GMER? Is it reliable? I can't find much info about it

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 04 June 2011 - 12:42 PM

The problem is, it is still blocking a program trying to access the internet, and after about 5 minutes the computer crashes to bluescreen and reboots.

What program is blocked and what is the BSOD code?

GMER is an antirootkit scanner and quite good, but not every item listed is bad. If you emailed it and got a reply it is clean, that is okay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 06 June 2011 - 07:29 AM

hi Elise, it seems that the server computer is not yet cured. Our POS software will not load on the terminals downstairs and the network connection sometimes disappears on the server computer. The software downstairs is dependent on the server upstairs. GMER is finding a list of items but none of them are 'suspicious' or triggering it to say there is an infection. TDS Killer is finding that one suspicious file but it says there are no infections. Here is the snippet from the log, I can't figure out how to attach the log.

2011/06/06 08:27:23.0045 3848 Suspicious file (Forged): C:\Windows\system32\drivers\secdrv.sys. Real md5: f0ff1d19737b062601881e460d8ce2e3, Fake md5: daa100df6e6711906b61c9ab5aa16032

Also Malwarebytes isn't finding anything either.


As I side note, yesterday my computer at home also came down with a rootkit virus, and nobody was using it. I used the same steps and it seemed to be cured, but how can you know for sure?

#8 GX5000

GX5000

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:16 AM

Posted 06 June 2011 - 09:13 AM

I don't know how many times I've said this but, disconnect your POS from the internet !
It's a POS system, and will never really need any Microsoft updates, and if you need to update the POS software you
can use a USB stick or drive.

I've been called in to help so many new Clients that have lost weeks and months of sales and
inventory information because they found being plugged into the Internet useful, It's not worth the risk !

#9 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 06 June 2011 - 09:38 AM

yea that's great advise.. too bad our software processes our credit cards over the internet. Thanks anyway for the help

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 06 June 2011 - 11:18 AM

Since this is a server with different terminals, the fastest solution would probably be to disconnect all comptuers and reformat them all. If you want to clean them, you'll have to disconnect (isolate) each computer and make sure it is clean. Also make sure that all removable media (like USB storage devices) are clean.

Sure is that we cannot tackle this in this forum. With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 07 June 2011 - 08:35 AM

I'd like to avoid nuking the system if possible. I got the POS system working again thru a reboot of everything. There haven't been any issues in the last 24 hours, I've just been getting messages that the server computer gets low on RAM, even though it has 2 GBs. Let me post the most recent logs from Superantispyware, Malwarebytes, Rootrepeal, GMER, Combofix and Hijackthis. I'm sorry, I can't find the attach command anywhere.

*************************************************************************************************
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/07/2011 at 07:42 AM

Application Version : 4.53.1000

Core Rules Database Version : 7220
Trace Rules Database Version: 5032

Scan type : Complete Scan
Total Scan Time : 00:15:48

Memory items scanned : 706
Memory threats detected : 0
Registry items scanned : 10491
Registry threats detected : 0
File items scanned : 20847
File threats detected : 290

Adware.Tracking Cookie
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@insightexpressai[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@imrworldwide[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@invitemedia[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@pointroll[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@adbrite[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@yieldmanager[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@ads.bleepingcomputer[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@ru4[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@mediabrandsww[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@ad.yieldmanager[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@tribalfusion[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@content.yieldmanager[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@media6degrees[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@collective-media[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@atdmt[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@ads.pubmatic[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@ads.pointroll[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@lucidmedia[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@ad.wsod[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@doubleclick[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\user@segment-pixel.invitemedia[1].txt
s0.2mdn.net [ C:\Users\User\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\J27556ZY ]
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.pgatour[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@advertising[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@burstbeacon[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@imrworldwide[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.burstnet[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads.pubmatic[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@content.yieldmanager[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@www.burstbeacon[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@mediaservices-d.openxenterprise[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@tribalfusion[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@adbrite[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad.yieldmanager[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@r1-ads.ace.advertising[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@apmebf[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ads-vrx.adbrite[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@atdmt[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@mediaplex[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@serving-sys[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@content.yieldmanager[3].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@media6degrees[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@2o7[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad.wsod[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@ad.wsod[3].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@bs.serving-sys[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@burstnet[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@collective-media[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@doubleclick[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@fastclick[1].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@intermundomedia[2].txt
C:\Users\User\AppData\Roaming\Microsoft\Windows\Cookies\Low\user@invitemedia[2].txt


**********************************************************************************************

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6789

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/7/2011 8:11:20 AM
mbam-log-2011-06-07 (08-11-20).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 235525
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

*********************************************************************************

Rootrepeal(this wouldn't really run I don't know why)

08:38:41: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e0)
08:38:41: DeviceIoControl Error! Error Code = 0x1e7
08:38:41: FOPS - DeviceIoControl Error! Error Code = 0xc0000024 Extended Info (0x000000e0)


**********************************************************************************

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-07 08:29:51
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500AAJS-75M0A0 rev.02.03E02
Running: xbhe8gvb.exe; Driver: C:\Users\User\AppData\Local\Temp\uftyipoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82896589 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828BB092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? C:\Windows\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\Users\User\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!UnhookWindowsHookEx 7736CC7B 5 Bytes JMP 70A083A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!CallNextHookEx 7736CC8F 5 Bytes JMP 709E9D94 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!CreateWindowExW 77370E51 5 Bytes JMP 709F8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!SetWindowsHookExW 7737210A 5 Bytes JMP 709A463B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxIndirectParamW 77394AA7 5 Bytes JMP 70B1FED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxParamW 7739564A 5 Bytes JMP 70914BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxParamA 773ACF6A 5 Bytes JMP 70B1FE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxIndirectParamA 773AD29C 5 Bytes JMP 70B1FF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxIndirectA 773BE8C9 5 Bytes JMP 70B1FE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxIndirectW 773BE9C3 5 Bytes JMP 70B1FD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxExA 773BEA29 5 Bytes JMP 70B1FD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxExW 773BEA4D 5 Bytes JMP 70B1FCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] ole32.dll!OleLoadFromStream 75665BF6 5 Bytes JMP 70B2022B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] ole32.dll!CoCreateInstance 756B590C 5 Bytes JMP 709F8C85 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!UnhookWindowsHookEx 7736CC7B 5 Bytes JMP 70A083A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!CallNextHookEx 7736CC8F 5 Bytes JMP 709E9D94 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!CreateWindowExW 77370E51 5 Bytes JMP 709F8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!SetWindowsHookExW 7737210A 5 Bytes JMP 709A463B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxIndirectParamW 77394AA7 5 Bytes JMP 70B1FED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxParamW 7739564A 5 Bytes JMP 70914BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxParamA 773ACF6A 5 Bytes JMP 70B1FE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!DialogBoxIndirectParamA 773AD29C 5 Bytes JMP 70B1FF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxIndirectA 773BE8C9 5 Bytes JMP 70B1FE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxIndirectW 773BE9C3 5 Bytes JMP 70B1FD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxExA 773BEA29 5 Bytes JMP 70B1FD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] USER32.dll!MessageBoxExW 773BEA4D 5 Bytes JMP 70B1FCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ole32.dll!OleLoadFromStream 75665BF6 5 Bytes JMP 70B2022B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3740] ole32.dll!CoCreateInstance 756B590C 5 Bytes JMP 709F8C85 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!CreateWindowExW 77370E51 5 Bytes JMP 709F8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!DialogBoxIndirectParamW 77394AA7 5 Bytes JMP 70B1FED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!DialogBoxParamW 7739564A 5 Bytes JMP 70914BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!DialogBoxParamA 773ACF6A 5 Bytes JMP 70B1FE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!DialogBoxIndirectParamA 773AD29C 5 Bytes JMP 70B1FF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!MessageBoxIndirectA 773BE8C9 5 Bytes JMP 70B1FE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!MessageBoxIndirectW 773BE9C3 5 Bytes JMP 70B1FD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!MessageBoxExA 773BEA29 5 Bytes JMP 70B1FD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3844] USER32.dll!MessageBoxExW 773BEA4D 5 Bytes JMP 70B1FCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!UnhookWindowsHookEx 7736CC7B 5 Bytes JMP 70A083A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!CallNextHookEx 7736CC8F 5 Bytes JMP 709E9D94 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!CreateWindowExW 77370E51 5 Bytes JMP 709F8197 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!SetWindowsHookExW 7737210A 5 Bytes JMP 709A463B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxIndirectParamW 77394AA7 5 Bytes JMP 70B1FED8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxParamW 7739564A 5 Bytes JMP 70914BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxParamA 773ACF6A 5 Bytes JMP 70B1FE75 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!DialogBoxIndirectParamA 773AD29C 5 Bytes JMP 70B1FF3B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxIndirectA 773BE8C9 5 Bytes JMP 70B1FE0A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxIndirectW 773BE9C3 5 Bytes JMP 70B1FD9F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxExA 773BEA29 5 Bytes JMP 70B1FD3D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] USER32.dll!MessageBoxExW 773BEA4D 5 Bytes JMP 70B1FCDB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] ole32.dll!OleLoadFromStream 75665BF6 5 Bytes JMP 70B2022B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4060] ole32.dll!CoCreateInstance 756B590C 5 Bytes JMP 709F8C85 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\PixelPOS\PixelAuthorizeManager.exe[3016] @ C:\Windows\system32\user32.dll [KERNEL32.dll!CreateThread] [0044F2F8] C:\PixelPOS\PixelAuthorizeManager.exe
IAT C:\PixelPOS\PixelAuthorizeManager.exe[3016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0044F2F8] C:\PixelPOS\PixelAuthorizeManager.exe
IAT C:\PixelPOS\PixelAuthorizeManager.exe[3016] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [0044F4FC] C:\PixelPOS\PixelAuthorizeManager.exe
IAT C:\PixelPOS\PixelAuthorizeManager.exe[3016] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [0044F4FC] C:\PixelPOS\PixelAuthorizeManager.exe

---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\3da21691-e39d-4da6-8a4b-b43877bcb1b7@FlushCacheFiles ????????? ????????????????????????????(?????????????????????Microsoft.GroupPolicy.Reporting,2.0.0.0,,31bf3856ad364e35???? ????????????????????????????????????????????????????????????????????????????????(?????????????????????????? ??????????????????????????????????????????? ??????????????????????????????????????????????????? ???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????h????????????????????????????????????????????Z????????????r????S-1-5-21-765407529-4037882332-2826650334-500???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

---- EOF - GMER 1.0.15 ----

Edited by elise025, 07 June 2011 - 08:57 AM.
logs removed


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,318 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:16 PM

Posted 07 June 2011 - 08:59 AM

I have removed the logs you posted; they are not allowed in this forum as clearly stated at the top of the forum page:

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

Please follow the steps in my last post to create a new topic and post the requested logs in the appropriate forum. You can include there your combofix log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users