Results 1 to 3 of 3

Thread: Fraudload and Click.Giftload

  1. 2011-03-23, 21:44 #1
    h8mal
    h8mal is offline
    Junior Member
    Join Date
    Mar 2011
    Posts
    11

    Default Fraudload and Click.Giftload

    Hi, I have click.giftload and Fraudload that redirect me to ads via Google links.

    Hope I'm not getting ahead of myself, my aswmbr and gmer log are below and in the next post.

    aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
    Run date: 2011-03-23 16:43:36
    -----------------------------
    16:43:36.859 OS Version: Windows 5.1.2600 Service Pack 3
    16:43:36.859 Number of processors: 2 586 0x209
    16:43:36.859 ComputerName: OWNER-53AB28ACA UserName: Owner
    16:43:38.796 Initialize success
    16:43:41.718 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdePort0
    16:43:41.734 Disk 0 Vendor: ST380215A 3.AAD Size: 76319MB BusType: 3
    16:43:41.734 Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380215A_______________________________3.AAD___#5&13a60baf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
    16:43:41.734 Device \Driver\atapi -> DriverStartIo 8672027f
    16:43:41.750 Disk 0 MBR read successfully
    16:43:41.750 Disk 0 MBR scan
    16:43:41.750 Disk 0 TDL4@MBR code has been found
    16:43:41.750 Disk 0 MBR hidden
    16:43:41.750 Disk 0 MBR [TDL4] **ROOTKIT**
    16:43:41.750 Disk 0 trace - called modules:
    16:43:41.750 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86720439]<<
    16:43:41.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86785ab8]
    16:43:41.750 3 CLASSPNP.SYS[f788ffd7] -> nt!IofCallDriver -> \Device\00000059[0x86741f18]
    16:43:41.750 5 ACPI.sys[f77e6620] -> nt!IofCallDriver -> [0x8678bd98]
    16:43:41.765 \Driver\atapi[0x86761b10] -> IRP_MJ_CREATE -> 0x86720439
    16:43:41.765 Scan finished successfully
  2. 2011-03-23, 21:47 #2
    h8mal
    h8mal is offline
    Junior Member
    Join Date
    Mar 2011
    Posts
    11

    Default gmer

    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit scan 2011-03-23 16:19:08
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST380215A rev.3.AAD
    Running: vjjpeknv.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfwdypob.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    .text C:\Program Files\CyberLink\PowerDVD9\NavFilter\000.fcl section is writeable [0xEC48B000, 0x2892, 0xE8000020]
    .vmp2 C:\Program Files\CyberLink\PowerDVD9\NavFilter\000.fcl entry point in ".vmp2" section [0xEC4AE050]
    ? C:\DOCUME~1\Owner\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F1000A
    .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F2000A
    .text C:\WINDOWS\System32\svchost.exe[1136] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F0000C
    .text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0284000A
    .text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0285000A
    .text C:\WINDOWS\System32\svchost.exe[1136] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0286000A
    .text C:\WINDOWS\System32\svchost.exe[1136] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FA000A
    .text C:\WINDOWS\Explorer.EXE[1612] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
    .text C:\WINDOWS\Explorer.EXE[1612] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F6000A
    .text C:\WINDOWS\Explorer.EXE[1612] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8672027F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8672027F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8672027F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8672027F
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-12 8672027F
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST380215A_______________________________3.AAD___#5&13a60baf&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- EOF - GMER 1.0.15 ----
  3. 2011-03-23, 22:22 #3
    tashi
    tashi is offline
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,961

    Default

    Hello h8mal,

    In case you missed it please see the forum FAQ which includes guidelines for this forum and instructions on posting preliminary "DDS" logs for analysis.
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Then start a new topic and a volunteer analyst will advise you when available.

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules