Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

404 nginx redirect. Possible rootkit. Combofix unsuccessful, logs, please help


  • This topic is locked This topic is locked
2 replies to this topic

#1 RichardSchuitema

RichardSchuitema

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:53 AM

Posted 18 February 2012 - 10:08 AM

Hi My computer is being redirected to 404 nginx when attempting to connect to google domains. Reset hosts file, ran combofix. No joy. Will post the GMER log, could someone take a look and see if you can help?

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Fraserburgh Golf at 15:02:36 on 2012-02-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1262 [GMT 0:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\Twain_32\Samsung\CLX3170\Scan2pc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\LibreOffice 3.5\program\soffice.exe
C:\Program Files\LibreOffice 3.5\program\soffice.bin
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [3170 Scan2PC] "c:\windows\twain_32\samsung\clx3170\Scan2pc.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174996390593
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{E1EFB210-D8B6-4D10-B930-98096EA980BB} : DhcpNameServer = 192.168.0.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 cpuz132;cpuz132;\??\c:\docume~1\fraser~1\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\fraser~1\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 HPPLSBULK;HPPLSBULK;c:\windows\system32\drivers\hpplsbulk.sys [2005-2-2 9344]
.
=============== Created Last 30 ================
.
2012-02-18 14:28:31 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8e8252c8-7e9a-4d0e-bc65-21af6fe222a1}\mpengine.dll
2012-02-18 14:10:33 -------- d-sha-r- C:\cmdcons
2012-02-17 15:44:27 -------- d-----w- c:\documents and settings\fraserburgh golf\application data\LibreOffice
2012-02-17 15:34:23 -------- d-----w- c:\program files\LibreOffice 3.5
2012-02-17 15:19:05 -------- d-----w- c:\program files\Microsoft Security Client
2012-02-17 14:53:49 208896 ----a-w- c:\windows\MBR.exe
2012-02-17 14:53:48 98816 ----a-w- c:\windows\sed.exe
2012-02-17 14:53:48 518144 ----a-w- c:\windows\SWREG.exe
2012-02-17 14:53:48 256000 ----a-w- c:\windows\PEV.exe
2012-02-16 15:29:19 -------- d-----w- c:\program files\CCleaner
2012-02-15 13:56:52 -------- d-----w- c:\documents and settings\fraserburgh golf\local settings\application data\NPE
2012-02-15 13:56:52 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-02-15 12:56:16 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2012-02-15 12:54:43 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-02-15 12:50:09 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2012-02-14 22:53:14 3072 ------w- c:\windows\system32\iacenc.dll
2012-02-14 22:53:14 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-02-14 22:53:07 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\windows defender\definition updates\{61b7b306-a5dd-4416-bed4-de4dcdb4bf11}\mpengine.dll
.
==================== Find3M ====================
.
2012-01-27 00:21:24 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2011-12-17 19:46:36 916992 ----a-w- c:\windows\system32\wininet.dll
2011-12-17 19:46:36 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46:36 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22:58 385024 ----a-w- c:\windows\system32\html.iec
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 15:03:04.87 ===============

GMER log


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-17 18:01:06
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160812AS rev.3.ADH
Running: gmer.exe; Driver: C:\DOCUME~1\FRASER~1\LOCALS~1\Temp\pwddapod.sys


---- Kernel code sections - GMER 1.0.15 ----

.text atapi.sys B9F21852 1 Byte [CC] {INT 3 }
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9324360, 0x21235D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1540] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1868] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2228] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Fraserburgh Golf\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device A6AB7D20

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:116] 8A43C39F
Thread System [4:300] 8A3EF0F4

---- EOF - GMER 1.0.15 ----



Thanks!

Edited by boopme, 18 February 2012 - 09:37 PM.


BC AdBot (Login to Remove)

 


#2 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:53 AM

Posted 19 February 2012 - 09:00 AM

Hello RichardSchuitema and welcome to BC.

Can you please post the resulting log of Combofix located at C:\Combofix.txt.


You should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 


#3 sempai

sempai

    noypi


  • Malware Response Team
  • 5,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3 stars and a sun
  • Local time:10:53 AM

Posted 23 February 2012 - 11:02 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

~Semp

btn_donate_LG.gif
You can help me continue the fight against malware by making a donation, Thank you.

If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.

Member of UNITE (Unified Network of Instructors and Trained Eliminators) 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users