Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firefox and Explorer won't load!


  • Please log in to reply
5 replies to this topic

#1 she_stangs

she_stangs

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 June 2011 - 12:24 PM

I had the Windows 7 2012 malware and i folowed the directions to get rid of it. It seems to be gone but now I can't open Internet explorer or firefox when I click on the desktop icon or from the start menu. Sometimes if I reboot my computer it will open but the internet runs really slow and if I restart my computer again the problem re occurs. I cleared all the history and cookies to see if that helped but it did not. This is a work computer so it is of the upmost importence to get this fixed ASAP. Any advice on how I can prevent this from happening in the future would be much appreciated as well.

Thanks in advance for your help.

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:47 AM

Posted 29 June 2011 - 01:10 PM

Hi she_stangs,

I'm wondering if this is the Guide you followed.

If it is, can you please post the resulting log from Malwarebytes.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#3 she_stangs

she_stangs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 29 June 2011 - 01:21 PM

Yes that was the instructions I followed. I have scanned twice since then and below are the logs from both scans.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6930

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/23/2011 2:52:14 PM
mbam-log-2011-06-23 (14-52-14).txt

Scan type: Full scan (C:\|G:\|)
Objects scanned: 349708
Time elapsed: 2 hour(s), 30 minute(s), 5 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
c:\Windows\Temp\Um0.exe (Trojan.FraudPack.Gen) -> 7396 -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ECYTQ9SIC (Trojan.FraudPack.Gen) -> Value: 4ECYTQ9SIC -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Temp\Um0.exe (Trojan.FraudPack.Gen) -> Delete on reboot.
c:\Windows\Temp\Um1.exe (Trojan.FraudPack.Gen) -> Delete on reboot.
c:\Windows\System32\config\systemprofile\AppData\Roaming\gog.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\8AC3.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Windows\Temp\8AC4.tmp (Trojan.FakeMS) -> Quarantined and deleted successfully.
c:\Windows\Temp\blqkjv\setup.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\R66v.exe (Exploit.Drop.1) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\AppData\Roaming\microsoft\conhost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\application data\gog.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\Temp\0.9708568346135056.exe (Exploit.Drop.2) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> Quarantined and deleted successfully.
c:\Windows\System32\config\systemprofile\0.3909913342097928.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.



2nd Scan

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6930

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/24/2011 2:25:40 PM
mbam-log-2011-06-24 (14-25-40).txt

Scan type: Full scan (C:\|G:\|)
Objects scanned: 345985
Time elapsed: 1 hour(s), 50 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\rih.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.


After I did that I updated Adobe and windows and that is when the internet started acting strange.

Thanks

#4 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:47 AM

Posted 01 July 2011 - 07:29 AM

Hi again she_stangs,

The malwarebytes logs look pretty good as far as what was removed. But you're still having troubles with IE and Firefox, so let's dig a little deeper.

Please download GMER from one of the following locations and save it to your desktop:

* Main Mirror
This version will download a randomly named file (Recommended)
* Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
* Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
* Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
Posted Image

* GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
* If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
* Now click the Scan button. If you see a rootkit warning window, click OK.
* When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
* Click the Copy button and paste the results into your next reply.
* Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 


#5 she_stangs

she_stangs
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 05 July 2011 - 02:50 PM

Here is the gmer log

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-05 12:47:09
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3250318AS rev.CC45
Running: gmer.exe; Driver: C:\Users\matt\AppData\Local\Temp\ufldypob.sys


---- System - GMER 1.0.15 ----

SSDT 88366100 ZwCreateKey
SSDT 88367440 ZwCreateMutant
SSDT 88365340 ZwCreateProcess
SSDT 88365600 ZwCreateProcessEx
SSDT 88366F60 ZwCreateThread
SSDT 88367100 ZwCreateThreadEx
SSDT 883658C0 ZwCreateUserProcess
SSDT 88366680 ZwDeleteKey
SSDT 88366940 ZwDeleteValueKey
SSDT 883672A0 ZwLoadDriver
SSDT 88365B80 ZwOpenProcess
SSDT 883675E0 ZwSetSystemInformation
SSDT 883663C0 ZwSetValueKey
SSDT 88365E40 ZwTerminateProcess
SSDT 88366DC0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 83297569 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832BC092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 308 832C3918 4 Bytes [00, 61, 36, 88]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 832C3928 4 Bytes [40, 74, 36, 88]
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 832C393C 8 Bytes [40, 53, 36, 88, 00, 56, 36, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 832C395C 8 Bytes [60, 6F, 36, 88, 00, 71, 36, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 832C3974 4 Bytes [C0, 58, 36, 88] {RCR BYTE [EAX+0x36], 0x88}
.text ...

---- User code sections - GMER 1.0.15 ----

.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1268] ntdll.dll!NtProtectVirtualMemory 771351C0 5 Bytes JMP 0066000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1268] ntdll.dll!NtWriteVirtualMemory 77135D40 5 Bytes JMP 0067000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1268] ntdll.dll!KiUserExceptionDispatcher 77136298 5 Bytes JMP 0040000A
.text C:\Windows\Explorer.EXE[2596] ntdll.dll!NtProtectVirtualMemory 771351C0 5 Bytes JMP 0023000A
.text C:\Windows\Explorer.EXE[2596] ntdll.dll!NtWriteVirtualMemory 77135D40 5 Bytes JMP 0024000A
.text C:\Windows\Explorer.EXE[2596] ntdll.dll!KiUserExceptionDispatcher 77136298 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[3296] ntdll.dll!NtProtectVirtualMemory 771351C0 5 Bytes JMP 0025000A
.text C:\Windows\system32\svchost.exe[3296] ntdll.dll!NtWriteVirtualMemory 77135D40 5 Bytes JMP 0026000A
.text C:\Windows\system32\svchost.exe[3296] ntdll.dll!KiUserExceptionDispatcher 77136298 5 Bytes JMP 0024000A
.text C:\Windows\system32\svchost.exe[3296] ole32.dll!CoCreateInstance 76A9590C 5 Bytes JMP 00AF000A
.text C:\Windows\system32\svchost.exe[3296] USER32.dll!GetCursorPos 7725C198 5 Bytes JMP 00B0000A
.text C:\Windows\system32\svchost.exe[3296] USER32.dll!GetForegroundWindow 7726565D 5 Bytes JMP 00EF000A
.text C:\Windows\system32\svchost.exe[3296] USER32.dll!WindowFromPoint 77286D0C 5 Bytes JMP 00B1000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E92494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E75624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E756E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E9250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E88573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E84D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E850CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E851A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E866D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E882CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E88819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E8907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E8E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2596] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E84C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

#6 techextreme

techextreme

    Bleepin Tech


  • BC Advisor
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:03:47 AM

Posted 06 July 2011 - 07:10 AM

Hi she_stangs,

I have a bit of information I need to give you first regarding what was found on your computer.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.

Now, to clean your computer, I'm going to point you to the How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller guide. Please read through and follow the directions posted in this guide and post the results here when you have completed.

Edited by techextreme, 06 July 2011 - 07:11 AM.

Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users