Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus + IRP Hook


  • This topic is locked This topic is locked
43 replies to this topic

#1 Heavily Armed Pixie

Heavily Armed Pixie

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 24 July 2012 - 02:28 PM

Both Malware Bytes and AVG pick up viruses on my desktop computer. A browser hijacker and "(UNKOWN) IRP hook \Driver\atapi DriverStartIo -> 0x8ADCA2E2"

When I try to repair/remove them, they obviously don't disappear, and continue to show up on consecutive scans.

Can I get some assistance, please?


Operating System:
Win XP
Antivirus Software:
AVG Pro

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:22 AM

Posted 24 July 2012 - 04:24 PM

Hello,

Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.

If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 25 July 2012 - 11:13 AM

Your post states to reply to this log, but the guide you gave me said to open a new request. I'm going to go ahead and assume you really meant to just reply to this one, so here are the results of the scans:

GMER LOG was too big to attach and obviously too big to put in as a paste. Please advise.

Attached Files

  • Attached File  dds.txt   13.21KB   3 downloads

Edited by Heavily Armed Pixie, 25 July 2012 - 11:16 AM.


#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:22 AM

Posted 29 July 2012 - 02:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462278 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 30 July 2012 - 06:28 AM

I still need help. The GMer log is too big to post, as mentioned.

#6 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 30 July 2012 - 07:01 AM

Hi Heavily Armed Pixie :)
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

Best Regards,
Karsten

P.S. As you forgot to post the DDS log I will do that for you, please do remember NOT to attach logs but to post them full, and yes I understand the GMER log is too big, hang on to it for now.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Desiree Delmastro at 9:52:45 on 2012-07-25
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT1060933
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitTorrentBar Toolbar: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - c:\program files\bittorrentbar\prxtbBit2.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.1.0.12\AVG Secure Search_toolbar.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\prxtbFre0.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Adobe] rundll32.exe "c:\documents and settings\desiree delmastro\local settings\application data\apple computer\adobe\gzkkahzz.dll",CreateInstance
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ASUSGamerOSD] c:\program files\asus\gamerosd\GamerOSD.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [Adobe] rundll32.exe "c:\documents and settings\desiree delmastro\local settings\application data\apple computer\adobe\gzkkahzz.dll",CreateInstance
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\yahtzee\images\stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235510026328
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235510020343
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\yahtzee\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{943094A3-C160-4710-84F0-C9EA9704A978} : DhcpNameServer = 167.206.251.129 167.206.251.130
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.2.0\ViProtocol.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\480\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\
FF - prefs.js: browser.search.selectedEngine - Freecorder Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.weightwatchers.com/index.aspx
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?SSPV=FFSB1&ctid=CT1060933&SearchSource=2&q=
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko10.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko11.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko5.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko6.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko7.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko8.dll
FF - component: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCoreGecko9.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\desiree delmastro\application data\mozilla\firefox\profiles\rzbiogt2.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\plugins\np-mswmp.dll
FF - plugin: c:\documents and settings\desiree delmastro\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\desiree delmastro\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\desiree delmastro\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 8.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\adobe\reader 8.0\reader\browser\nppdf32(3).dll
FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\11.2.0\npsitesafety.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-07-24 18:56:23 -------- d-----w- c:\documents and settings\desiree delmastro\application data\AVG2012
2012-07-24 18:34:19 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2012-07-24 18:30:40 15128 ----a-w- c:\documents and settings\desiree delmastro\application data\microsoft\identitycrl\production\ppcrlconfig.dll
2012-07-24 16:46:53 711240 ----a-w- c:\windows\isRS-000.tmp
2012-07-17 18:10:53 -------- d-----w- c:\documents and settings\desiree delmastro\application data\NVIDIA
2012-07-06 18:37:59 -------- d-----w- c:\program files\MySQL
2012-07-06 18:37:48 -------- d-----w- c:\documents and settings\all users\application data\MySQL
2012-06-30 18:34:08 -------- d-----w- c:\documents and settings\desiree delmastro\node_modules
2012-06-30 18:34:01 -------- d-----w- c:\documents and settings\desiree delmastro\application data\npm-cache
2012-06-30 18:31:41 -------- d-----w- c:\program files\nodejs
2012-06-30 18:31:41 -------- d-----w- c:\documents and settings\desiree delmastro\application data\npm
2012-06-26 03:04:17 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-07-24 18:16:44 553 --sha-w- c:\windows\system32\mmf.sys
2012-07-03 17:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-26 03:04:17 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-19 15:54:01 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-05-19 15:54:01 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-19 15:54:01 52096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-05-19 15:54:01 30592 ----a-w- c:\windows\system32\LMIport.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3250820AS rev.3.ADG -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ADCA4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8add193c]; MOV EAX, [0x8add1ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8AE51AB8]
3 CLASSPNP[0xB80E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000006e[0x8AEDAC78]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> [0x8AEA6D98]
\Driver\atapi[0x8AEA39F8] -> IRP_MJ_CREATE -> 0x8ADCA4B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8ADCA2E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:54:20.64 ===============

Edited by KarstenHansen, 30 July 2012 - 07:10 AM.


#7 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 30 July 2012 - 08:49 AM

Hi Heavily Armed Pixie :)
:welcome: to BleepingComputer.

My name is Karsten and I'll help you with the cleanup of malware from your computer.

Please be aware of the following:
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 3 days, I am assuming that you don't need help anymore and your topic will be closed.
  • I can not guarantee that we will find and be able to remove all malware. Formatting is usually faster and always the safest way.
  • If you decide to clean your PC, work with us until a team member tells you that you are clean.
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
NEXT

There is a program installed on your PC called LOGMEIN. This is a remote desktop tool and if it is not installed by you we need to remove it right away!

NEXT

I found your log to contain a P2P program and would like you to read the following:
Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

NEXT

Could you please ZIP up the GMER log and ATTACH it to your reply to me? (I know I just told you to only post logs but as the GMER log is too big for forum we will do this).

Best Regards,
Karsten

#8 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 02 August 2012 - 06:26 AM

I don't have a paid copy of WinZip, it won't let me .zip a file without registering and purchasing the program. I have WinRar, but apparently cannot upload .rar files via BleepingComputer forums. Any other ideas?

Edited by Heavily Armed Pixie, 02 August 2012 - 06:33 AM.


#9 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 02 August 2012 - 06:30 AM

Hi Heavily Armed Pixie :)
Something went wrong as there is no GMER log attached to your post. Please would you try again? Zip the GMER log and attach it to your next post please.

Best Regards,
Karsten

Edited by KarstenHansen, 02 August 2012 - 06:31 AM.


#10 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 02 August 2012 - 06:33 AM

I don't have a paid copy of WinZip, it won't let me .zip a file without registering and purchasing the program. I have WinRar, but apparently cannot upload .rar files via BleepingComputer forums. Any other ideas?

#11 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 02 August 2012 - 06:35 AM

Ofcourse, hehehe try this: http://www.7-zip.org/

7ZIP is free and can therefore be used. Try using that please.

Karsten

Edited by KarstenHansen, 02 August 2012 - 06:35 AM.


#12 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 02 August 2012 - 06:41 AM

Hope this works as intended. Fingers crossed.

Attached Files


Edited by Heavily Armed Pixie, 02 August 2012 - 06:41 AM.


#13 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 02 August 2012 - 06:44 AM

Yes, that worked, thank you very much. Give me a little time to go through this GMER log and I will get back to you asap!

#14 KarstenHansen

KarstenHansen

    The Dane


  • Members
  • 1,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:22 AM

Posted 03 August 2012 - 06:55 AM

Hi Heavily Armed Pixie :)
It looks as if you are infected in either your MBR or in the partitions table. I will use aswMBR to get a better view of that part of your system. Please do the following:

First I will need to make sure Daemon Tools is disabled and will do that by running this:
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

NEXT

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

NEXT

I need to find out what is on your PC and I will now need a OTL log. Please do the following:

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup:
  • aswMBR log
  • OTL log
Best Regards,
Karsten

#15 Heavily Armed Pixie

Heavily Armed Pixie
  • Topic Starter

  • Members
  • 87 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:02:22 AM

Posted 03 August 2012 - 07:46 AM

I'm running the scans momentarily as request. Please be advised that the link for the OTL gives me an error, as follows:


The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@oldtimer.geekstogo.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users