Results 1 to 2 of 2

Thread: Browser redirection and inability to access Microsoft Update

  1. #1
    Junior Member
    Join Date
    Dec 2010
    Posts
    1

    Default Browser redirection and inability to access Microsoft Update

    Hi, my browser(s) are getting redirected to wepprotectionmicrosoft.com, unable to access microsoft update or update microsoft security essentials. Most websites I try to access are being blocked. eg "wepprotectionmicrosoft.com/block.php?teletext2010=1&url=http://www.larshederer.homepage.t-online.de/erunt/index.htm&z1=1291837075"

    Hence I cannot backup registry with erunt, I have backed the registry up with Spybot's native tool though.

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by User 1 at 21:22:46.76 on 14/12/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.145 [GMT 0:00]

    AV: Microsoft Security Essentials *Enabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\system32\svchost.exe -k NetworkService
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Microsoft Security Essentials\msseces.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\WINDOWS\system32\SearchFilterHost.exe
    C:\Documents and Settings\User 1\My Documents\Downloads\dds.pif
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.ie/
    uInternet Settings,ProxyOverride = *.local
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Switcher.exe] "c:\program files\sony\wireless switch setting utility\Switcher.exe"
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
    mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216749833875
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, motbuouf.dll
    LSA: Authentication Packages = msv1_0 nwprovau

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user1~1\applic~1\mozilla\firefox\profiles\moob66t9.default\
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R?2 fooxpycn;Microsoft USB Generic Parent Controller;c:\windows\system32\svchost.exe -k netsvcs [2007-11-22 14336]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-11-15 363344]
    R2 VMCService;Vodafone Mobile Connect Service;c:\program files\vodafone\vodafone mobile connect\bin\VMCService.exe [2009-11-16 9216]
    R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-6-20 36352]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-11-15 20952]
    R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-6-20 808448]
    S2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\eappkt.sys --> c:\windows\system32\drivers\EAPPkt.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-14 136176]
    S3 BELKIN;Belkin Wireless G USB Network Adapter;c:\windows\system32\drivers\blkwgu.sys --> c:\windows\system32\drivers\BLKWGU.sys [?]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-1-19 113280]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-1-19 100480]
    S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [2010-11-22 100736]
    S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-11-30 1389400]
    S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-11-30 15264]
    S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2010-1-19 18432]
    S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\drivers\SonyPI.sys [2007-11-22 37040]

    =============== Created Last 30 ================

    2010-12-14 21:22:20 -------- d--h--w- c:\windows\PIF
    2010-12-14 20:14:58 15880 ----a-w- c:\windows\system32\lsdelete.exe
    2010-12-14 19:32:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
    2010-12-14 19:27:15 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Sunbelt Software
    2010-12-14 19:24:11 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Temp
    2010-12-14 19:23:27 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\Google
    2010-12-14 19:23:03 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{4C199BD2-7EF4-41DD-A9F3-FDB1302724DF}
    2010-12-14 19:21:27 -------- d-----w- c:\program files\Lavasoft
    2010-12-14 18:54:54 -------- d-----w- c:\docume~1\user1~1\applic~1\ElevatedDiagnostics
    2010-12-13 23:45:16 388096 ----a-r- c:\docume~1\user1~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
    2010-12-13 23:45:15 -------- d-----w- c:\program files\Trend Micro
    2010-12-13 20:32:47 0 ----a-w- c:\windows\system32\tmp.tmp
    2010-12-13 20:30:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-12-13 20:30:38 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
    2010-12-13 18:22:41 733184 ----a-w- c:\windows\system32\alk7.dll
    2010-12-13 18:22:41 0 ----a-w- c:\windows\system32\alk7.tmp
    2010-12-08 19:43:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\bKbNa01803
    2010-12-07 18:39:10 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{4b24d3e5-2535-44d3-a3b5-bd04fb5375cd}\mpengine.dll
    2010-12-04 09:34:56 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\PCHealth
    2010-11-22 18:36:08 100736 ----a-r- c:\windows\system32\drivers\ewusbfake.sys
    2010-11-22 18:13:28 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
    2010-11-22 18:13:06 -------- d-----w- c:\docume~1\user1~1\applic~1\FLEXnet
    2010-11-22 18:06:11 -------- d-----w- c:\docume~1\user1~1\applic~1\Vodafone
    2010-11-22 18:05:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\Vodafone
    2010-11-22 18:05:25 -------- d-----w- c:\program files\Vodafone
    2010-11-22 18:05:09 -------- d-----w- c:\docume~1\user1~1\locals~1\applic~1\{BFFB4DAD-9151-42DB-86FA-4F90FA6F699F}
    2010-11-16 20:46:08 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2010-11-16 14:52:30 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-11-16 14:52:30 215920 ----a-w- c:\windows\system32\muweb.dll
    2010-11-16 14:52:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
    2010-11-15 22:54:31 -------- d-----w- c:\program files\iPod
    2010-11-15 22:54:24 -------- d-----w- c:\program files\iTunes
    2010-11-15 22:54:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-11-15 22:49:17 1461992 ----a-w- c:\windows\system32\wdfcoinstaller01009.dll
    2010-11-15 22:48:51 -------- d-----w- c:\program files\Bonjour
    2010-11-15 22:22:27 -------- d-----w- c:\docume~1\user1~1\applic~1\Malwarebytes
    2010-11-15 22:22:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-15 22:22:18 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-15 22:22:18 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-11-15 22:22:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-11-15 22:15:47 250496 ----a-w- c:\windows\system32\drivers\yk51x86.sys
    2010-11-15 22:11:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sony Corporation
    2010-11-15 21:20:57 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-11-15 21:17:02 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-11-15 20:48:32 -------- d-----w- c:\program files\CCleaner

    ==================== Find3M ====================

    2010-10-07 12:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-10-07 12:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-10-07 12:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2010-09-28 15:44:52 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
    2010-09-18 12:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: FUJITSU_MHY2120BH rev.0000000B -> Harddisk0\DR0 -> \Device\00000091

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86D02735]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86d08990]; MOV EAX, [0x86d08a0c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D48AB8]
    3 CLASSPNP[0xF75DDFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008e[0x86D4B9E8]
    5 ACPI[0xF7454620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CCBB00]
    \Driver\atapi[0x86CD8268] -> IRP_MJ_CREATE -> 0x86D02735
    error: Read The device is not ready.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP2T0L0-9 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0000000B#5&1a838039&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x86D0257B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 21:24:34.42 ===============
    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-14 21:36:38
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 FUJITSU_MHY2120BH rev.0000000B
    Running: gmer.exe; Driver: C:\DOCUME~1\USER1~1\LOCALS~1\Temp\ugtoaaob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\USER1~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
    .text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
    .text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
    .text C:\WINDOWS\System32\svchost.exe[1268] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
    .text C:\WINDOWS\System32\svchost.exe[1268] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01D7000A
    .text C:\WINDOWS\System32\svchost.exe[1268] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00E5000A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[1840] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2156] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2576] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3]
    .text C:\Program Files\Google\Chrome\Application\chrome.exe[2576] ntdll.dll!DbgUiRemoteBreakin 7C951E13 5 Bytes JMP 7C923BD8 C:\WINDOWS\system32\ntdll.dll (NT Layer DLL/Microsoft Corporation)
    .text C:\WINDOWS\system32\SearchIndexer.exe[2836] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1840] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010
    IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2156] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002F0010

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86D0257B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86D0257B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 86D0257B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 86D0257B
    Device \Device\Ide\IdeDeviceP2T0L0-9 -> \??\IDE#DiskFUJITSU_MHY2120BH_______________________0000000B#5&1a838039&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3948
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@LeaseObtainedTime 1292360395
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@T1 1292362195
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@T2 1292363545
    Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7D14E26F-AE61-41DE-8342-3B607F3952E1}@LeaseTerminatesTime 1292363995
    Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@LeaseObtainedTime 1292360395
    Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@T1 1292362195
    Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@T2 1292363545
    Reg HKLM\SYSTEM\CurrentControlSet\Services\{7D14E26F-AE61-41DE-8342-3B607F3952E1}\Parameters\Tcpip@LeaseTerminatesTime 1292363995

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----

  2. #2
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default




    Please read Before You Post
    While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

    Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

    Looks like your Master Boot Record is infected with a rootkit


    If your blocked downloading this program, you will have to use a known clean computer to download the program, transfer it by a usb flash drive to the infected one and run the program.



    • Download TDSSKiller and save it to your Desktop.
    • Extract the file and run it.
    • Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)
    • Please post the content of the TDSSKiller log
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •