Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple viruses


  • This topic is locked This topic is locked
4 replies to this topic

#1 MadCityKaren

MadCityKaren

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fitzwalkerstan
  • Local time:12:51 PM

Posted 13 June 2011 - 09:32 PM

My laptop managed to become infected with a number of different viruses on Friday evening (June 10th). I first became aware of Windows 7 Restore (I believe that's what it was) when it was running it's fake scan and began popping up bogus alerts. While working on getting rid of that, I realized that I also had a Google Redirect virus. Then, out of nowhere I was getting audio snippets (about 10-15 seconds each) of commercials/infomercials (I was able to identify Snickers and MS Bing commercials, among numerous others). I've not been able to identify where those ghost audios are coming from; my media player doesn't appear to be running them.

I thought that I had eradicated the Windows 7 Restore until it/something very similar acting popped up again this morning -- just after I had quarantined/removed the Google Redirect! (Yeah, that's frustrating!) (AdAware found the Google Redirect.) I ended up having to manually remove much of the Windows 7 Restore as nothing seemed to be touching it; apparently, I did not remove some remnant of it as it appears that is what has reinfected me today.

This evening, I'm starting all over again, in safe mode -- I used the unhide.exe to get my files showing again, and rkill.exe stopped something. I'm currently running a scan (simply a Trend Micro Housecall scan) to see what comes up. I believed that I had Trend Micro for AV, but that doesn't appear to be working; Windows Defender somehow was disabled in the last week of May -- don't know how or why. I'd also believed that my cable provider had me covered with AV protection and firewall, but may have misunderstood.

I've also run a Trojan Remover (from Simply Super Software) that found a Trojan last night and removed it. I've tried to run TDSSKiller, but even renaming the file it won't execute on my laptop. I've managed to update Malwarebytes (which I use approximately once a month anyway) from my desktop to the laptop so that I can scan using MB too. (I've been transferring various executables from my clean desktop PC to my laptop; I've noticed that any anti-virus/anti-malware icons on my laptop desktop now have a little shield next to them if not in safe mode ... the Trojan picked up last night was some kind of fake AV program. Should I assume that those programs are now not legitimate? The shield looks very similar to the fake file icon.)

Not sure what else to say right now ... I'm running 32 bit Windows 7 on a Toshiba laptop. I'm not sure how to run a DDS (or whatever it is) log to copy to here even.

Edited to add: regarding the TDSSKiller, I tried running it as an administrator too, but it still won't execute. I think that the virii are watching me! :crazy:

UPDATE: I ran MBAM fast scan last night in safe mode and got this log ...
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6838

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

6/13/2011 10:12:40 PM
mbam-log-2011-06-13 (22-12-40).txt

Scan type: Quick scan
Objects scanned: 156719
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YGRLPHtuvIU (Trojan.FakeAlert) -> Value: YGRLPHtuvIU -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\ygrlphtuviu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Roaming\defender.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\ACC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\B981.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\B9EE.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\BB37.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\C61F.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\FF44.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\FF45.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\jar_cache4275385405240851218.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\jar_cache476549852498425462.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\jar_cache5861465725259641802.tmp (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
c:\Users\WPATubez\AppData\Local\Temp\tmpFE99.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\WPATubez\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

When I turned the laptop on (normally) I could see that there was a second copy of a virus that had not been quarantined/deleted by MBAM, so ran it again (in safe mode) doing a full scan (and making certain that all folders/files were viewable). This is the second/full scan log in safe mode:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6838

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

6/13/2011 11:36:12 PM
mbam-log-2011-06-13 (23-36-12).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 310260
Time elapsed: 55 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\WPATubez\msiexec.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

*******
Frankly, I still don't trust that the laptop is "clean" and await further instruction.

Edited by MadCityKaren, 14 June 2011 - 05:39 PM.

Those who danced were thought to be quite insane,
by those who do not hear the music ...

BC AdBot (Login to Remove)

 


#2 MadCityKaren

MadCityKaren
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fitzwalkerstan
  • Local time:12:51 PM

Posted 16 June 2011 - 09:11 PM

About to post in the 'it's been three days' thread ...

I'm still having issues with Google redirect and ghost audio snippets ... ran GMER last night (log below) and got this message when it had completed it's scan:
"GMER has found system modification caused by ROOTKIT activity".

TDSSKiller still will not execute either with running as an admin or renaming the file (either in normal or safe mode).


**************
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-15 20:26:30
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD3200BEVT-26ZCT0 rev.12.01A12
Running: kjn0jzk2.exe; Driver: C:\Users\WPATubez\AppData\Local\Temp\kwloikow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82C49569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C6E092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AB1B000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AB60000, 0x3DC, 0x48000040]
.text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90C37000, 0x2D5526, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[668] kernel32.dll!LoadLibraryA 75852884 5 Bytes JMP 0105000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] kernel32.dll!LoadLibraryW 758528D2 5 Bytes JMP 0104000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!CreateWindowExW 77150E51 5 Bytes JMP 6E358197 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!DialogBoxIndirectParamW 77174AA7 5 Bytes JMP 6E47FED8 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!DialogBoxParamW 7717564A 5 Bytes JMP 6E274BA7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!DialogBoxParamA 7718CF6A 5 Bytes JMP 6E47FE75 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!DialogBoxIndirectParamA 7718D29C 5 Bytes JMP 6E47FF3B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!MessageBoxIndirectA 7719E8C9 5 Bytes JMP 6E47FE0A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!MessageBoxIndirectW 7719E9C3 5 Bytes JMP 6E47FD9F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!MessageBoxExA 7719EA29 5 Bytes JMP 6E47FD3D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] USER32.dll!MessageBoxExW 7719EA4D 5 Bytes JMP 6E47FCDB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[668] WININET.dll!HttpAddRequestHeadersA 75989ABA 5 Bytes JMP 00FE000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] WININET.dll!HttpOpenRequestA 759903FA 5 Bytes JMP 0101000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] WININET.dll!InternetConnectW 75990452 5 Bytes JMP 0102000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] WININET.dll!InternetConnectA 7599050F 5 Bytes JMP 0103000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] WININET.dll!HttpOpenRequestW 759905D3 5 Bytes JMP 0100000A
.text C:\Program Files\Internet Explorer\iexplore.exe[668] WININET.dll!HttpAddRequestHeadersW 75990848 5 Bytes JMP 00FF000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateDialogParamW 77149BFF 5 Bytes JMP 6E2AC5A8 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!EnableWindow 7714A72E 5 Bytes JMP 6E2AC523 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!GetAsyncKeyState 7714C09A 5 Bytes JMP 6E26D6E9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!UnhookWindowsHookEx 7714CC7B 5 Bytes JMP 6E3683A2 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CallNextHookEx 7714CC8F 5 Bytes JMP 6E349D94 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateWindowExW 77150E51 5 Bytes JMP 6E358197 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!SetWindowsHookExW 7715210A 5 Bytes JMP 6E30463B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!GetKeyState 77154FDA 5 Bytes JMP 6E2AD79A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!IsDialogMessageW 77156F06 5 Bytes JMP 6E274284 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateDialogParamA 77163E79 5 Bytes JMP 6E480ACE C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!IsDialogMessage 7716407A 5 Bytes JMP 6E48036F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateDialogIndirectParamA 77169110 5 Bytes JMP 6E480B05 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!CreateDialogIndirectParamW 771708AD 5 Bytes JMP 6E480B3C C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxIndirectParamW 77174AA7 5 Bytes JMP 6E47FED8 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!EndDialog 7717555C 5 Bytes JMP 6E275AE9 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxParamW 7717564A 5 Bytes JMP 6E274BA7 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!SetKeyboardState 77176B52 5 Bytes JMP 6E4806D4 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!SendInput 77177055 5 Bytes JMP 6E481298 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!SetCursorPos 7718C1D8 5 Bytes JMP 6E4812F0 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxParamA 7718CF6A 5 Bytes JMP 6E47FE75 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!DialogBoxIndirectParamA 7718D29C 5 Bytes JMP 6E47FF3B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxIndirectA 7719E8C9 5 Bytes JMP 6E47FE0A C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxIndirectW 7719E9C3 5 Bytes JMP 6E47FD9F C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxExA 7719EA29 5 Bytes JMP 6E47FD3D C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!MessageBoxExW 7719EA4D 5 Bytes JMP 6E47FCDB C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] USER32.dll!keybd_event 7719EC9B 5 Bytes JMP 6E481623 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] SHELL32.dll!SHChangeNotification_Lock + 45BA 75D4B440 4 Bytes [11, 36, EA, 72]
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] SHELL32.dll!SHChangeNotification_Lock + 45C2 75D4B448 8 Bytes JMP E973D072
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] ole32.dll!OleLoadFromStream 76E85BF6 5 Bytes JMP 6E48022B C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] ole32.dll!CoCreateInstance 76ED590C 5 Bytes JMP 6E358C85 C:\windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WININET.dll!HttpAddRequestHeadersA 75989ABA 5 Bytes JMP 01F7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WININET.dll!HttpOpenRequestA 759903FA 5 Bytes JMP 01FA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WININET.dll!InternetConnectW 75990452 5 Bytes JMP 01FB000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WININET.dll!InternetConnectA 7599050F 5 Bytes JMP 020C000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WININET.dll!HttpOpenRequestW 759905D3 5 Bytes JMP 01F9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WININET.dll!HttpAddRequestHeadersW 75990848 5 Bytes JMP 01F8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!closesocket 76DE3BED 5 Bytes JMP 0221000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!recv 76DE47DF 5 Bytes JMP 021F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!connect 76DE48BE 5 Bytes JMP 0220000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!getaddrinfo 76DE6737 5 Bytes JMP 0224000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!send 76DEC4C8 5 Bytes JMP 0222000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2352] WS2_32.dll!gethostbyname 76DF7133 5 Bytes JMP 0223000A
.text C:\Program Files\real\realplayer\Update\realsched.exe[3288] kernel32.dll!SetUnhandledExceptionFilter 75853162 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6BFA9DEB] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [6BFA9D64] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [6BFA9F05] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] [6BFA9E78] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)
IAT C:\Program Files\Common Files\aol\1263222819\ee\aolsoftware.exe[3104] @ C:\windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [6BFA9CDD] C:\Program Files\Common Files\AOL\AOLDiag\tbdiag.dll (AOL Diagnostics/AOL LLC)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 868AC1ED
Device \Driver\atapi \Device\Ide\IdePort0 868AC1ED

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:248] 868B0E7A
Thread System [4:252] 868B3008
---- Processes - GMER 1.0.15 ----

Library F:\kjn0jzk2.exe (*** hidden *** ) @ F:\kjn0jzk2.exe [4892] 0x00400000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 1210

---- Files - GMER 1.0.15 ----

File C:\Users\WPATubez\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OHQYX3W3\detect[1].act 2438 bytes
File C:\Users\WPATubez\AppData\Local\Temp\~DF236065177F907A17.TMP 0 bytes
File C:\Users\WPATubez\AppData\Local\Temp\~DF2C00E9E694B5D40D.TMP 0 bytes

---- EOF - GMER 1.0.15 ----
Those who danced were thought to be quite insane,
by those who do not hear the music ...

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,428 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:51 PM

Posted 16 June 2011 - 09:26 PM

Hello. You do have a rootkit and will need special help to clear it.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
Include the GMER log you posted earlier.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 MadCityKaren

MadCityKaren
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Fitzwalkerstan
  • Local time:12:51 PM

Posted 17 June 2011 - 12:03 AM

Thanks, boopme! Got the DDS file and GMER run and posted over yonder ... although I'm a little concerned that Windows did one of its "updates" as I logged my laptop off. (I did mention it in the new topic in the event that I'll need to re-run the logs or anything else.)
Those who danced were thought to be quite insane,
by those who do not hear the music ...

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:51 PM

Posted 17 June 2011 - 11:30 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic404321.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users