Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal


  • Please log in to reply
10 replies to this topic

#1 Farmboy60

Farmboy60

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 23 August 2011 - 12:00 PM

Hi,

I'm a novice user who is trying to remove a rootkit from my system.
I'm running Windows Vista and Internet Explorer

I updated my Malawarebytes, AVG, and CC cleaner, I've tried and deleted AVAST, Panda, Adaware and Superspy sweeper.

After combing the forums for a few days I've tried TDSSkiller, Gmer and Hijack this. TDSSkiller did not find anything, Gmer was not able to run completely before it was shut down (this has happened multiple times and always when it starts scanning devices). I understand that I am not able to post my log for Hijack this in this forum.

I would appreciate any assistance you could provide

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:14 AM

Posted 23 August 2011 - 12:05 PM

Hello.

Try the GMER scan again. This time, uncheck Devices.

Post the resultant log for me.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Farmboy60

Farmboy60
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 23 August 2011 - 02:09 PM

Hi Blade,

As requested, this is where we are so far.


MER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-23 15:08:10
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3360320AS rev.3.CHN
Running: rt60ln90.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwloapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xADA4C7A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xADA4C848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xADA4C8E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xADA4C980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 824E2B74 4 Bytes [A0, C7, A4, AD]
.text ntkrnlpa.exe!KeSetEvent + 621 824E2DA4 8 Bytes [48, C8, A4, AD, E4, C8, A4, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 824E2E04 4 Bytes [80, C9, A4, AD] {OR CL, 0xa4; LODSD }
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xADA08300, 0x3ACC8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xADA63300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] kernel32.dll!CreateThread 7547CB2E 5 Bytes JMP 6B1371CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!SetWindowsHookExW 756E87AD 5 Bytes JMP 6B17204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CallNextHookEx 756E8E3B 5 Bytes JMP 6B197A4F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!UnhookWindowsHookEx 756E98DB 5 Bytes JMP 6B1BEA08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcA 756EDB88 7 Bytes JMP 6B1393F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA 756EDC2A 2 Bytes JMP 6B143223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA + 3 756EDC2D 2 Bytes [A5, F5] {MOVSD ; CMC }
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExW 756F1305 5 Bytes JMP 6B19FE2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcW 757003B4 7 Bytes JMP 6B197AB2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] ole32.dll!OleLoadFromStream 767B1E80 5 Bytes JMP 6B2C6676 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73957817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739AA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7395BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7394F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7394E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73988395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7395DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7394FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7394FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [739DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7397C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7394D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73946853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7394687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73952AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:14 AM

Posted 23 August 2011 - 03:49 PM

Hi.

That log is incomplete. . . did GMER finish running?

Before we go on why do you believe there is a rootkit on your system? Should have asked this first.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 Farmboy60

Farmboy60
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 23 August 2011 - 07:30 PM

Hey Blade took a little longer than expected. Why rootkit? Not sure what else could be. i've run 4 virus programs and 3 spyware/malware and everything is clean but i still am unable to access Google and you tube. I use to be redirected to other sites and now I can't access the sites at all.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-23 20:18:23
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3360320AS rev.3.CHN
Running: rt60ln90.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pwloapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xADA4C7A0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xADA4C848]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xADA4C8E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xADA4C980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 824E2B74 4 Bytes [A0, C7, A4, AD]
.text ntkrnlpa.exe!KeSetEvent + 621 824E2DA4 8 Bytes [48, C8, A4, AD, E4, C8, A4, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 824E2E04 4 Bytes [80, C9, A4, AD] {OR CL, 0xa4; LODSD }
.text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xADA08300, 0x3ACC8, 0xE8000020]
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xADA63300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5168] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] kernel32.dll!CreateThread 7547CB2E 5 Bytes JMP 6B1371CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!SetWindowsHookExW 756E87AD 5 Bytes JMP 6B17204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CallNextHookEx 756E8E3B 5 Bytes JMP 6B197A4F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!UnhookWindowsHookEx 756E98DB 5 Bytes JMP 6B1BEA08 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!EnableWindow 756ECD8B 5 Bytes JMP 6B1798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcA 756EDB88 7 Bytes JMP 6B1393F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA 756EDC2A 2 Bytes JMP 6B143223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExA + 3 756EDC2D 2 Bytes [A5, F5] {MOVSD ; CMC }
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!CreateWindowExW 756F1305 5 Bytes JMP 6B19FE2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DefWindowProcW 757003B4 7 Bytes JMP 6B197AB2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamW 757110B0 5 Bytes JMP 6B0D15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamW 75712EF5 5 Bytes JMP 6B2C5E8E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxParamA 75728152 5 Bytes JMP 6B2C5E29 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!DialogBoxIndirectParamA 7572847D 5 Bytes JMP 6B2C5EF3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectA 7573D4D9 5 Bytes JMP 6B2C5DB0 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxIndirectW 7573D5D3 5 Bytes JMP 6B2C5D37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExA 7573D639 5 Bytes JMP 6B2C5CD3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] USER32.dll!MessageBoxExW 7573D65D 5 Bytes JMP 6B2C5C6F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5544] ole32.dll!OleLoadFromStream 767B1E80 5 Bytes JMP 6B2C6676 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73957817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [739AA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7395BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7394F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7394E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73988395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7395DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7394FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7394FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [739DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7397C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7394D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73946853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7394687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3384] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73952AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:14 AM

Posted 23 August 2011 - 07:50 PM

Hello.

Which security programs have you run? You mention a total of 7

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Farmboy60

Farmboy60
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 24 August 2011 - 05:39 AM

Malawarebytes, Avira, AVG, Avast, Panda Cloud, Superspy sweeper, Ad aware

#8 Farmboy60

Farmboy60
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 24 August 2011 - 05:41 AM

Also cc cleaner

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:14 AM

Posted 24 August 2011 - 08:07 AM

Hello.

Try this for me.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

~Blade


In your next reply, please include the following:
TDSSKiller Log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 Farmboy60

Farmboy60
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 26 August 2011 - 06:32 AM

TDSS Scan found nothing

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:01:14 AM

Posted 26 August 2011 - 05:04 PM

Hello,

It appears that the issues on your system will require a more in-depth examination than can be performed in this forum. Please read the information in this guide, and follow all the steps beginning with step 6. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The MRT is very busy, so it could be several days (3-5 days is the average wait right now) before you receive a reply. But rest assured, help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users