Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirects and browser crashes


  • This topic is locked This topic is locked
17 replies to this topic

#1 manmountain8

manmountain8

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 21 September 2011 - 01:40 PM

Earlier this summer I removed a nasty Rootkit Trojan and afterwards IE no longer worked, so I downloaded Firefox. It worked fine for awhile but then it started redirecting google searches occasionally. If I hit the back button and tried it again it worked every time. Then it started redirecting every search and would not go to the right website no matter how many times I tried. I can just copy and paste the link into the address bar though and that works fine. Then Firefox started crashing randomly. All it says is that Firefox has crashed and it asks me if I want to report it to Mozilla. It does seem random for the most part but certain websites will cause it to crash immediately every time. Malewarebytes does not find anything and SuperAnti-Spyware only found some tracking cookies. Unfortunately I am running Server 2003 so I can not run Combofix. Any ideas?

Edited by manmountain8, 21 September 2011 - 01:42 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:35 PM

Posted 21 September 2011 - 09:35 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 22 September 2011 - 11:54 AM

Thanks, but DDS does not support my operating system. I have most of the tools mentioned on Bleeping, on a portable hard drive and I've been removing viruses from friends computers for years. I do not have GMER though and not sure if that runs on Windows Server 2003. This is just one computer that I have which happens to have Server 2003. i don't have any discs for a better operating system so that's just the way it is.

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,627 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:35 PM

Posted 26 September 2011 - 01:45 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419892 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 27 September 2011 - 06:55 PM

I can not run DDS but I have a GMER log here: It did say it found changes caused by rootkit activity. Malewarebytes and SuperAntiSpyware do not find anyting.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-27 16:43:21
Windows 5.2.3790 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST380011A rev.3.04
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugpcaaow.sys


---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!ZwResumeThread 8093BB98 1 Byte [CC] {INT 3 }
.text atapi.sys F73898E6 1 Byte [CC] {INT 3 }

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 00144663
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxParamW 773896A9 5 Bytes JMP 40C9F4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxExW 7739EE4A 5 Bytes JMP 40E12703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxIndirectParamW 773A6296 5 Bytes JMP 40E127F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxExA 773C42AD 5 Bytes JMP 40E1273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxParamA 773CA0AF 5 Bytes JMP 40E127BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!DialogBoxIndirectParamA 773CA172 5 Bytes JMP 40E12831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxIndirectA 773D7D40 5 Bytes JMP 40E12777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] USER32.dll!MessageBoxIndirectW 773D7E30 5 Bytes JMP 40CC178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ole32.dll!OleLoadFromStream 776A0122 5 Bytes JMP 40E129F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ws2_32.dll!WSASend 71C02430 5 Bytes JMP 7FF91B07
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ws2_32.dll!send 71C02EC2 5 Bytes JMP 7FF91AD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ws2_32.dll!recv 71C02F7F 5 Bytes JMP 7FF9196B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[316] ws2_32.dll!WSARecv 71C09480 5 Bytes JMP 7FF91A15
.text C:\WINDOWS\system32\svchost.exe[664] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 0026463B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 00144663
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!DialogBoxParamW 773896A9 5 Bytes JMP 40C9F4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!MessageBoxExW 7739EE4A 5 Bytes JMP 40E12703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!DialogBoxIndirectParamW 773A6296 5 Bytes JMP 40E127F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!MessageBoxExA 773C42AD 5 Bytes JMP 40E1273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!DialogBoxParamA 773CA0AF 5 Bytes JMP 40E127BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!DialogBoxIndirectParamA 773CA172 5 Bytes JMP 40E12831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!MessageBoxIndirectA 773D7D40 5 Bytes JMP 40E12777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] USER32.dll!MessageBoxIndirectW 773D7E30 5 Bytes JMP 40CC178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] ole32.dll!OleLoadFromStream 776A0122 5 Bytes JMP 40E129F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] ws2_32.dll!WSASend 71C02430 5 Bytes JMP 7FF91B07
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] ws2_32.dll!send 71C02EC2 5 Bytes JMP 7FF91AD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] ws2_32.dll!recv 71C02F7F 5 Bytes JMP 7FF9196B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1128] ws2_32.dll!WSARecv 71C09480 5 Bytes JMP 7FF91A15
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 00144663
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!DialogBoxParamW 773896A9 5 Bytes JMP 40C9F4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!MessageBoxExW 7739EE4A 5 Bytes JMP 40E12703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!DialogBoxIndirectParamW 773A6296 5 Bytes JMP 40E127F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!MessageBoxExA 773C42AD 5 Bytes JMP 40E1273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!DialogBoxParamA 773CA0AF 5 Bytes JMP 40E127BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!DialogBoxIndirectParamA 773CA172 5 Bytes JMP 40E12831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!MessageBoxIndirectA 773D7D40 5 Bytes JMP 40E12777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] USER32.dll!MessageBoxIndirectW 773D7E30 5 Bytes JMP 40CC178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] ole32.dll!OleLoadFromStream 776A0122 5 Bytes JMP 40E129F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] ws2_32.dll!WSASend 71C02430 5 Bytes JMP 7FF91B07
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] ws2_32.dll!send 71C02EC2 5 Bytes JMP 7FF91AD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] ws2_32.dll!recv 71C02F7F 5 Bytes JMP 7FF9196B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1660] ws2_32.dll!WSARecv 71C09480 5 Bytes JMP 7FF91A15
.text C:\WINDOWS\Explorer.EXE[2968] Explorer.EXE 010148A4 12 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; SUB ESP, 0x44; PUSH ESI; PUSH EDI; PUSH 0x10}
.text C:\WINDOWS\Explorer.EXE[2968] Explorer.EXE 010148B1 22 Bytes CALL 010100F1 C:\WINDOWS\Explorer.EXE (Windows Explorer/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[2968] Explorer.EXE 010148C8 13 Bytes [15, 90, 10, 00, 01, 50, E8, ...] {ADC EAX, 0x1001090; PUSH EAX; CALL 0x6d; PUSH 0x10}
.text C:\WINDOWS\Explorer.EXE[2968] Explorer.EXE 010148D6 15 Bytes [F0, 59, 33, C0, 8D, 7D, C0, ...]
.text C:\WINDOWS\Explorer.EXE[2968] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 00A3463B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 00144663
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxParamW 773896A9 5 Bytes JMP 40C9F4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxExW 7739EE4A 5 Bytes JMP 40E12703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxIndirectParamW 773A6296 5 Bytes JMP 40E127F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxExA 773C42AD 5 Bytes JMP 40E1273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxParamA 773CA0AF 5 Bytes JMP 40E127BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!DialogBoxIndirectParamA 773CA172 5 Bytes JMP 40E12831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxIndirectA 773D7D40 5 Bytes JMP 40E12777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] USER32.dll!MessageBoxIndirectW 773D7E30 5 Bytes JMP 40CC178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ole32.dll!OleLoadFromStream 776A0122 5 Bytes JMP 40E129F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ws2_32.dll!WSASend 71C02430 5 Bytes JMP 7FF91B07
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ws2_32.dll!send 71C02EC2 5 Bytes JMP 7FF91AD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ws2_32.dll!recv 71C02F7F 5 Bytes JMP 7FF9196B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3304] ws2_32.dll!WSARecv 71C09480 5 Bytes JMP 7FF91A15
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] kernel32.dll!CreateProcessInternalW 77E6D146 5 Bytes JMP 00144663
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!DialogBoxParamW 773896A9 5 Bytes JMP 40C9F4D9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!MessageBoxExW 7739EE4A 5 Bytes JMP 40E12703 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!DialogBoxIndirectParamW 773A6296 5 Bytes JMP 40E127F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!MessageBoxExA 773C42AD 5 Bytes JMP 40E1273D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!DialogBoxParamA 773CA0AF 5 Bytes JMP 40E127BB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!DialogBoxIndirectParamA 773CA172 5 Bytes JMP 40E12831 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!MessageBoxIndirectA 773D7D40 5 Bytes JMP 40E12777 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] USER32.dll!MessageBoxIndirectW 773D7E30 5 Bytes JMP 40CC178A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] ole32.dll!OleLoadFromStream 776A0122 5 Bytes JMP 40E129F3 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] ws2_32.dll!WSASend 71C02430 5 Bytes JMP 7FF91B07
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] ws2_32.dll!send 71C02EC2 5 Bytes JMP 7FF91AD9
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] ws2_32.dll!recv 71C02F7F 5 Bytes JMP 7FF9196B
.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3404] ws2_32.dll!WSARecv 71C09480 5 Bytes JMP 7FF91A15

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:228] 85E190F9
Thread System [4:392] 85976B90

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [MANUAL] 1253179630 <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\1253179630@Start 3
Reg HKLM\SYSTEM\CurrentControlSet\Services\1253179630@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\1253179630@ErrorControl 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\1253179630@DisplayName Virtual Bus for Microsoft ACPI-Compliant System
Reg HKLM\SYSTEM\ControlSet002\Services\1253179630@Start 3
Reg HKLM\SYSTEM\ControlSet002\Services\1253179630@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\1253179630@ErrorControl 1
Reg HKLM\SYSTEM\ControlSet002\Services\1253179630@DisplayName Virtual Bus for Microsoft ACPI-Compliant System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 38791

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB1687$\3002223514 0 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\click.tlb 2144 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\L 0 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\L\gkrdahga 60928 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\loader.tlb 2540 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U 0 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@00000001 48064 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@000000c0 2560 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@000000cb 2048 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@000000cf 1536 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@80000000 24576 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@800000c0 33280 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@800000cb 27648 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\U\@800000cf 27648 bytes
File C:\WINDOWS\$NtUninstallKB1687$\3002223514\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6} 2048 bytes
File C:\WINDOWS\$NtUninstallKB1687$\535178469 0 bytes

---- EOF - GMER 1.0.15 ----

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 27 September 2011 - 11:21 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 28 September 2011 - 10:27 AM

Ughhh, I already wrote my description at the top and said that I am running Server 2003. Combofix and DDS do not support my operating system.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 28 September 2011 - 11:37 AM

Hello


well we may be in alot of trouble then. I am not for sure which of our tools will work on this OS. And as you say you don't have the disks for it either.


I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 30 September 2011 - 12:19 PM

Yeah I know. Thanks anyway. I already ran TDSSKiller awhile back too. Now the OS will not load at all due to mismatched .dll kernels. Ughhh, computers are more trouble than they are worth.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 30 September 2011 - 12:41 PM

Hello


If you did get it to run again you may try this as I have had some luck with it

Please download Kaspersky Virus Removal Tool and SAVE it to your desktop

  • Right click and run as admin (xp please double click to run)
  • select lang
  • click on next
  • accept the license aggreement
  • select location and click on next
  • in autoscan make sure the first three boxes are checked and the box next to the C:/ drive
  • click on start scan
  • when complete click on report
  • in the three drop down boxes choose autoscan - do not group and important events
  • click on save and save to desktop
  • copy and paste this report in your next post


Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 03 October 2011 - 01:18 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 03 October 2011 - 03:28 PM

Hey I responded a few days ago but that post is gone now. hmmm??? The OS will no longer load now. It has mismatched .dll kernels. Microsoft says it happens when you try to reload SP1 over an old one. Since I did not do that I can only assume it has a new infection that corrupted those .dll files. They say to replace 2 .dll files from SP1 but I don't know how to do that when I can't even load the OS in safemode. Is there a way to boot from a service pack disc or something? How can replace files when you can't load the computer?

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 03 October 2011 - 06:50 PM

Hello

If you know which files then this can be of use


Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 manmountain8

manmountain8
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:01:35 PM

Posted 04 October 2011 - 04:41 PM

Ok thanks, I appreciate your help. I'll give that a try as soon as I get a chance. It might be a few days before I can respond as I don't have my own computer right now. Please keep my topic open until I get a chance. Thanks...

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:35 PM

Posted 04 October 2011 - 08:45 PM

I will leave it open


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users