Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Redirect and Additional Banner Ads

  • Please log in to reply
8 replies to this topic

#1 Nathan Redgrave

Nathan Redgrave

  • Members
  • 6 posts
  • Local time:02:13 AM

Posted 07 August 2011 - 05:00 AM

This is my problem. My family computer, which runs Windows Vista Home Premium (32-bit) with Service Pack 2, recently caught a bout of malware. The two most visible problems are a Google-redirect thing and additional banner ads that appear on certain sites--in my experience, those "certain sites" are YouTube and Facebook. I know they don't belong because they're always in the same places, such as directly ABOVE the banner ad that YouTube already has in the first place. This is particularly vexing on Facebook, as the ads actually cause slowdown while I'm browsing (Facebook was REALLY hit hard by this banner-ad issue).

Unfortunately I don't know exactly what methods my mother's attempted as far as removing these problems goes. I myself have run scans with Norton, Malwarebytes' Antimalware, and Spybot Search & Destroy. All three have picked up problems, but none have actually solved it. Most recently, Malwarebytes picked up a series of Trojan.Tracur things, and I removed them--this seems to have shut the Google-redirect problem up for the moment, but I have a feeling it'll be back. The ad problem is still here.

Another odd symptom I've noticed is that sometimes, hotlinks that open into new tabs or windows open a new tab or window and then give me a generic error message telling me that Internet Explorer isn't working properly (your basic "This tab is frozen" message). It doesn't crash the whole browser, it just forces me to close out the tab or window in question. This only started happening regularly when these problems started, so I believe it's connected.

BC AdBot (Login to Remove)


#2 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:13 AM

Posted 07 August 2011 - 10:57 AM

Hi Nathan Redgrave,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.


:step1: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer Log Errors
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

:step2: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

:step3: Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others checked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Home" button to leave the control center screen.
  • Back on the main screen, under "Select Scan Type" click Complete Scan.
  • On the left, make sure you check C:\.
  • Click Start Complete Scan > Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step4: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

In your next reply, please include:
  • MiniToolBox log
  • Malwarebytes log
  • SUPERAntiSpyware log
  • GMER log
  • How's the computer running now?



Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#3 Nathan Redgrave

Nathan Redgrave
  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:13 AM

Posted 08 August 2011 - 02:28 AM

Unfortunately, I don't have that GMER log for you. I attempted two scans with GMER, the second of which was in Safe Mode, and in both cases, GMER froze (the only error message that appeared was a generic Windows "this program has stopped working" message). Attempting to re-open and start a new scan caused bluescreen crashes in both cases.

As for the other three, here are the logs. Malwarebytes didn't pick up anything; SUPERAntiSpyware's scan was considerably more eventful. However, the ad problem is still at large on YouTube and Facebook. The last couple of reboots have seen Windows taking a bit more time than usual to wrap up its startup stuff, although it runs just as well as ever once it's finished.

MiniToolBox by Farbar 
Ran by Navarra (administrator) on 08-08-2011 at 00:02:57
Windows Vista (TM) Home Premium Service Pack 2 (X86)


========================= IE Proxy Settings: ============================== 

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================

::1             localhost       localhost

========================= IP Configuration: ================================

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4

set global icmpredirects=enabled

# End of IPv4 configuration

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Navarra-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Belkin

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : Belkin
   Description . . . . . . . . . . . : Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
   Physical Address. . . . . . . . . : 00-1F-C6-4B-B8-B1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ec90:a771:d596:e27f%10(Preferred) 
   IPv4 Address. . . . . . . . . . . : 
   Subnet Mask . . . . . . . . . . . :
   Lease Obtained. . . . . . . . . . : Sunday, August 07, 2011 8:04:41 AM
   Lease Expires . . . . . . . . . . : Thursday, September 14, 2147 6:31:14 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 251666060
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-0F-9B-71-AC-00-1F-C6-4B-B8-B1
   DNS Servers . . . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : isatap.hsd1.nj.comcast.net.
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 15:

   Media State . . . . . . . . . . . : Media disconnected


Malwarebytes' Anti-Malware

Database version: 7405

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19088

8/8/2011 12:11:40 AM
mbam-log-2011-08-08 (00-11-40).txt

Scan type: Quick scan
Objects scanned: 164554
Time elapsed: 5 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log

Generated 08/08/2011 at 01:38 AM

Application Version : 5.0.1108

Core Rules Database Version : 7524
Trace Rules Database Version: 5336

Scan type : Complete Scan
Total Scan Time : 01:19:35

Operating System Information
Windows Vista Home Premium 32-bit, Service Pack 2 (Build 6.00.6002)
UAC On - Limited User (Administrator User)

Memory items scanned : 807
Memory threats detected : 1
Registry items scanned : 38052
Registry threats detected : 55
File items scanned : 63054
File threats detected : 145

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4b58-9603-8E54238219E2}

PUP.StartNow Toolbar
C:\Program Files\StartNow Toolbar\Resources\images\btn-msn.png
C:\Program Files\StartNow Toolbar\Resources\images\chevronButton.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_images.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_maps.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_news.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_videos.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_web.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_amazon.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_ebay.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_facebook.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_games.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_shopping.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_travel.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_twitter.png
C:\Program Files\StartNow Toolbar\Resources\images\separator.png
C:\Program Files\StartNow Toolbar\Resources\images\splitter.png
C:\Program Files\StartNow Toolbar\Resources\images\startnow_logo.png
C:\Program Files\StartNow Toolbar\Resources\images
C:\Program Files\StartNow Toolbar\Resources\installer.xml
C:\Program Files\StartNow Toolbar\Resources\protect\index.html
C:\Program Files\StartNow Toolbar\Resources\protect\NotIE6.css
C:\Program Files\StartNow Toolbar\Resources\protect\OnlyIE6.css
C:\Program Files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
C:\Program Files\StartNow Toolbar\Resources\protect\window.css
C:\Program Files\StartNow Toolbar\Resources\protect\window.js
C:\Program Files\StartNow Toolbar\Resources\protect
C:\Program Files\StartNow Toolbar\Resources\reactivate\index.html
C:\Program Files\StartNow Toolbar\Resources\reactivate\LeftImage.png
C:\Program Files\StartNow Toolbar\Resources\reactivate\NotIE6.css
C:\Program Files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
C:\Program Files\StartNow Toolbar\Resources\reactivate\window.css
C:\Program Files\StartNow Toolbar\Resources\reactivate\window.js
C:\Program Files\StartNow Toolbar\Resources\reactivate
C:\Program Files\StartNow Toolbar\Resources\searchbox\dropdown_button_normal.png
C:\Program Files\StartNow Toolbar\Resources\searchbox\searchbox_button_hover.png
C:\Program Files\StartNow Toolbar\Resources\searchbox\searchbox_button_normal.png
C:\Program Files\StartNow Toolbar\Resources\searchbox\searchbox_input_left.png
C:\Program Files\StartNow Toolbar\Resources\searchbox\searchbox_input_middle.png
C:\Program Files\StartNow Toolbar\Resources\searchbox
C:\Program Files\StartNow Toolbar\Resources\toolbar.xml
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton\hover_c.png
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton\hover_l.png
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton\hover_r.png
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton\normal_c.png
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton\normal_l.png
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton\normal_r.png
C:\Program Files\StartNow Toolbar\Resources\toolbarbutton
C:\Program Files\StartNow Toolbar\Resources\update.xml
C:\Program Files\StartNow Toolbar\Resources
C:\Program Files\StartNow Toolbar\StartNowToolbarUninstall.exe
C:\Program Files\StartNow Toolbar\Toolbar32.dll
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\StartNow Toolbar\uninstall.dat
C:\Program Files\StartNow Toolbar
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}

C:\Program Files\SELECTREBATES\FFToolbar\chrome\sahtoolbar.jar
C:\Program Files\SELECTREBATES\FFToolbar\chrome
C:\Program Files\SELECTREBATES\FFToolbar\chrome.manifest
C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences\sahtoolbar.js
C:\Program Files\SELECTREBATES\FFToolbar\defaults\preferences
C:\Program Files\SELECTREBATES\FFToolbar\defaults
C:\Program Files\SELECTREBATES\FFToolbar\install.rdf
C:\Program Files\SELECTREBATES\FFToolbar
C:\Program Files\SELECTREBATES\SahImages\alert.png
C:\Program Files\SELECTREBATES\SahImages\check.png
C:\Program Files\SELECTREBATES\SahImages\close.png
C:\Program Files\SELECTREBATES\SahImages
C:\Program Files\SELECTREBATES\SelectAlerts.dat
C:\Program Files\SELECTREBATES\SelectRebates.exe
C:\Program Files\SELECTREBATES\SelectRebates.ini
C:\Program Files\SELECTREBATES\SelectRebatesA.dat
C:\Program Files\SELECTREBATES\SelectRebatesApi.exe
C:\Program Files\SELECTREBATES\SelectRebatesB.dat
C:\Program Files\SELECTREBATES\SelectRebatesBT.dat
C:\Program Files\SELECTREBATES\SelectRebatesDownload.exe
C:\Program Files\SELECTREBATES\SelectRebatesH.dat
C:\Program Files\SELECTREBATES\SelectRebatesUninstall.exe
C:\Program Files\SELECTREBATES\SRebates.dll
C:\Program Files\SELECTREBATES\SRFF3.dll
C:\Program Files\SELECTREBATES\Toolbar\AddtoList.bmp
C:\Program Files\SELECTREBATES\Toolbar\basis.xml
C:\Program Files\SELECTREBATES\Toolbar\Basis.xml.dym
C:\Program Files\SELECTREBATES\Toolbar\Blank.bmp
C:\Program Files\SELECTREBATES\Toolbar\Cache
C:\Program Files\SELECTREBATES\Toolbar\CashBack.bmp
C:\Program Files\SELECTREBATES\Toolbar\Coupons.bmp
C:\Program Files\SELECTREBATES\Toolbar\GroceryCoupon.bmp
C:\Program Files\SELECTREBATES\Toolbar\icons.bmp
C:\Program Files\SELECTREBATES\Toolbar\ImageCache
C:\Program Files\SELECTREBATES\Toolbar\i_magnifying.bmp
C:\Program Files\SELECTREBATES\Toolbar\logo.bmp
C:\Program Files\SELECTREBATES\Toolbar\logo_24.bmp
C:\Program Files\SELECTREBATES\Toolbar\logo_HotSpots.bmp
C:\Program Files\SELECTREBATES\Toolbar\ReviewSite.bmp
C:\Program Files\SELECTREBATES\Toolbar\RightControls.dym
C:\Program Files\SELECTREBATES\Toolbar\sahtb-alert.bmp
C:\Program Files\SELECTREBATES\Toolbar\sahtb-go.bmp
C:\Program Files\SELECTREBATES\Toolbar\sahtb-grocerycoupons.bmp
C:\Program Files\SELECTREBATES\Toolbar\sahtb-icons.bmp
C:\Program Files\SELECTREBATES\Toolbar\sahtb-restaurant.bmp
C:\Program Files\SELECTREBATES\Toolbar\sahtb-wishlist.bmp
C:\Program Files\SELECTREBATES\Toolbar\Scissors.bmp
C:\Program Files\SELECTREBATES\Toolbar\ShopAtHomeToolbar.dll
C:\Program Files\SELECTREBATES\Toolbar


Adware.Tracking Cookie

#4 Nathan Redgrave

Nathan Redgrave
  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:13 AM

Posted 10 August 2011 - 10:59 PM

And boy, do I feel silly right now. I forgot to jot down that little step about unchecking "Devices" in GMER if it wouldn't run. This solved the freezing/bluescreening problem. Oddly, after the GMER scan... I visited YouTube and Facebook to find that the extra ads were no longer present. Also, the hotlinking problem that caused links that open in new tabs or windows to immediately freeze is no longer here.

Mind you, I turned on the computer after a five-hour nap and beelined directly to this forum, noticed my mistake, and ran GMER right away, so it's also possible that one of this computer's other users did something else to clear up the problem and I just never noticed. However, I don't think it likely.

The problem appears solved, and the Google Redirect issue hadn't resurfaced at any point, either, so I'll actually be surprised if the adware comes back.

EDIT: I noticed another improvement. While the adware problem persisted, my browser couldn't hold a log-in after closing to save its life; I would constantly have to re-log-in to the sites I frequent, even if the "keep me logged in" box was checked. Now, the computer keeps me logged in even through a reboot.

In any event, here is the GMER log, which I honestly can't make heads-or-tails of. I'll request additional aid if any problems resurface after this.

GMER - http://www.gmer.net
Rootkit scan 2011-08-10 23:46:59
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.12.0
Running: 2oiqezsw.exe; Driver: C:\Users\Navarra\AppData\Local\Temp\kxliyfow.sys

---- System - GMER 1.0.15 ----

SSDT 88A0E110 ZwAlertResumeThread
SSDT 88389AF0 ZwAlertThread
SSDT 88C8E838 ZwAllocateVirtualMemory
SSDT 88247190 ZwAlpcConnectPort
SSDT 88A48048 ZwAssignProcessToJobObject
SSDT 88CA8738 ZwCreateMutant
SSDT 88CCD0D0 ZwCreateSymbolicLinkObject
SSDT 88C8C2D0 ZwCreateThread
SSDT 88A05120 ZwDebugActiveProcess
SSDT 88C8EA50 ZwDuplicateObject
SSDT 88C8D6F0 ZwFreeVirtualMemory
SSDT 889F0068 ZwImpersonateAnonymousToken
SSDT 88A16110 ZwImpersonateThread
SSDT 88226430 ZwLoadDriver
SSDT 88C8D590 ZwMapViewOfSection
SSDT 889F6068 ZwOpenEvent
SSDT 88C8EC70 ZwOpenProcess
SSDT 8833C110 ZwOpenProcessToken
SSDT 88A3B068 ZwOpenSection
SSDT 88C8EB60 ZwOpenThread
SSDT 88CCDC80 ZwProtectVirtualMemory
SSDT 8838BCF0 ZwResumeThread
SSDT 8834A110 ZwSetContextThread
SSDT 88C8FA00 ZwSetInformationProcess
SSDT 889C3118 ZwSetSystemInformation
SSDT 889CF108 ZwSuspendProcess
SSDT 88386068 ZwSuspendThread
SSDT 88339068 ZwTerminateProcess
SSDT 88350120 ZwTerminateThread
SSDT 88348F00 ZwUnmapViewOfSection
SSDT 88C8DD80 ZwWriteVirtualMemory
SSDT 88CCD520 ZwCreateThreadEx

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 822B88A0 8 Bytes [10, E1, A0, 88, F0, 9A, 38, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 822B88B4 4 Bytes CALL E9AF1181
.text ntkrnlpa.exe!KeSetEvent + 13D 822B88C0 4 Bytes [90, 71, 24, 88]
.text ntkrnlpa.exe!KeSetEvent + 191 822B8914 4 Bytes [48, 80, A4, 88]
.text ntkrnlpa.exe!KeSetEvent + 1F5 822B8978 4 Bytes [38, 87, CA, 88]
.text ...

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@

---- EOF - GMER 1.0.15 ----

Edited by Nathan Redgrave, 11 August 2011 - 05:17 AM.

#5 jntkwx


  • Malware Response Team
  • 4,339 posts
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:02:13 AM

Posted 11 August 2011 - 08:48 AM

Hi Nathan,

Looking good. :thumbup2:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.



Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif

#6 Nathan Redgrave

Nathan Redgrave
  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:13 AM

Posted 12 August 2011 - 11:39 AM

Right, so I've done that. The list is below.

C:\Users\Navarra\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\362b70b1-579feca0 a variant of Java/Exploit.Agent.NAL trojan cleaned by deleting - quarantined
C:\Users\Navarra\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\54c48478-79f92e9d a variant of Java/Exploit.Agent.NAL trojan cleaned by deleting - quarantined
C:\Users\Navarra\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\57\68a1fab9-3ea2a1c9 a variant of Java/Exploit.Agent.NAL trojan cleaned by deleting - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5165565-spider man 2 top #1 hit.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5167668-cheech&chong the new unreleased single.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5545150-eternty dreams come true.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5561366-love sensation 911.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5576196-eternty dreams come true.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5862878-oh susanna acoustic.au a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Users\Navarra\Documents\FrostWire\Incomplete\T-5974753-rise of vlkyries new single.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\C00.php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined

#7 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,575 posts
  • Gender:Female
  • Location:Romania
  • Local time:09:13 AM

Posted 12 August 2011 - 12:25 PM

Hi, Jason is currently unavailable, so I'm taking over this topic. Do you have any problem left?

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft



#8 Nathan Redgrave

Nathan Redgrave
  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:13 AM

Posted 12 August 2011 - 01:26 PM

Hi, Jason is currently unavailable, so I'm taking over this topic. Do you have any problem left?

None that I'm aware of, although I'm keeping an eye out. The Google redirect issue never resurfaced once after the SUPERAntiSpyware scan, and the adware and hotlink problems are still nowhere to be seen. Does anything on that last list mean anything I should know about?

#9 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,575 posts
  • Gender:Female
  • Location:Romania
  • Local time:09:13 AM

Posted 12 August 2011 - 02:43 PM

No, all that looks normal. :)

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Hiding Hidden Files
Please set your system to hide all hidden files.
  • Click Start, open My Computer, select the Tools menu and click Folder Options.
  • Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
  • Check: Hide file extensions for known file types
  • Check the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Please read these advices, in order to prevent reinfecting your PC:
  • Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users