thejoggler
Posts: 14 +0
So somehow I contracted a Google re-direct virus (or whatever it is). I followed the 8-step procedure and am posting the required data here.
It seems to have taken over my anti-virus programs too. I can't update any of the anti-virus programs (Avira or Spyware Doctor). This is quite troubling. Can you help.
Attached are the logs as required.
GMR Log-:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-28 16:42:47
Windows 5.1.2600 Service Pack 3
Running: 7wm14dxe.exe; Driver: C:\DOCUME~1\FLASH4~1\LOCALS~1\Temp\kfrcipog.sys
---- System - GMER 1.0.15 ----
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF778E112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF776D2D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF776D4C8]
SSDT F7F3E84C ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF778E900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF778EBB4]
SSDT F7F3E86A ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF778CE12]
SSDT F7F3E838 ZwOpenProcess
SSDT F7F3E83D ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF778F020]
SSDT F7F3E874 ZwReplaceKey
SSDT F7F3E86F ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF778E3D2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF776CF44]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 120 804E278C 4 Bytes CALL 668C1F84
.text ntoskrnl.exe!_abnormal_termination + 148 804E27B4 4 Bytes JMP 26761F31
.text ntoskrnl.exe!_abnormal_termination + 1D4 804E2840 4 Bytes CALL 6D072038
.text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 4 Bytes CALL 611C2098
.text ntoskrnl.exe!_abnormal_termination + 24C 804E28B8 4 Bytes CALL 5BB920B0
.text ...
PAGENDSM NDIS.sys!NdisMIndicateStatus F76969EF 6 Bytes JMP EE807AC0 \SystemRoot\System32\Drivers\fwdrv.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00F5000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\DRIVERS\ipsec.sys[ntoskrnl.exe!ZwLoadDriver] [EE807928] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!ZwLoadDriver] [EE807928] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----
Malware Logs...
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
6/28/2010 12:35:13 PM
mbam-log-2010-06-28 (12-35-13).txt
Scan type: Quick scan
Objects scanned: 117517
Time elapsed: 17 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.52,93.188.161.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{000d0d4b-7e4e-4a96-8218-986861d2243d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.52,93.188.161.182 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
It seems to have taken over my anti-virus programs too. I can't update any of the anti-virus programs (Avira or Spyware Doctor). This is quite troubling. Can you help.
Attached are the logs as required.
GMR Log-:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-28 16:42:47
Windows 5.1.2600 Service Pack 3
Running: 7wm14dxe.exe; Driver: C:\DOCUME~1\FLASH4~1\LOCALS~1\Temp\kfrcipog.sys
---- System - GMER 1.0.15 ----
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF778E112]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF776D2D6]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF776D4C8]
SSDT F7F3E84C ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF778E900]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF778EBB4]
SSDT F7F3E86A ZwLoadKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF778CE12]
SSDT F7F3E838 ZwOpenProcess
SSDT F7F3E83D ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF778F020]
SSDT F7F3E874 ZwReplaceKey
SSDT F7F3E86F ZwRestoreKey
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF778E3D2]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF776CF44]
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!_abnormal_termination + 120 804E278C 4 Bytes CALL 668C1F84
.text ntoskrnl.exe!_abnormal_termination + 148 804E27B4 4 Bytes JMP 26761F31
.text ntoskrnl.exe!_abnormal_termination + 1D4 804E2840 4 Bytes CALL 6D072038
.text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 4 Bytes CALL 611C2098
.text ntoskrnl.exe!_abnormal_termination + 24C 804E28B8 4 Bytes CALL 5BB920B0
.text ...
PAGENDSM NDIS.sys!NdisMIndicateStatus F76969EF 6 Bytes JMP EE807AC0 \SystemRoot\System32\Drivers\fwdrv.sys
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\Mozilla Firefox\firefox.exe[1452] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\spoolsv.exe[1696] ntdll.dll!NtResumeThread 7C90DB3E 5 Bytes JMP 00F5000A
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\System32\DRIVERS\ipsec.sys[ntoskrnl.exe!ZwLoadDriver] [EE807928] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!ZwLoadDriver] [EE807928] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EE8078CB] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EE807820] \SystemRoot\System32\Drivers\fwdrv.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EE80783B] \SystemRoot\System32\Drivers\fwdrv.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp fwdrv.sys
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
---- EOF - GMER 1.0.15 ----
Malware Logs...
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org
Database version: 3930
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
6/28/2010 12:35:13 PM
mbam-log-2010-06-28 (12-35-13).txt
Scan type: Quick scan
Objects scanned: 117517
Time elapsed: 17 minute(s), 37 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.52,93.188.161.182 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{000d0d4b-7e4e-4a96-8218-986861d2243d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.52,93.188.161.182 -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)