Hi,
I'm hoping someone can help me with my issue.
I got malware on my computer almost a week ago and have been trying various methods for days to get it off. I use firefox and when I click on links I'm redirected to ad sights.
I turned off system restore, scanned with roger's virus protection and malwarebytes anti-malware which found some things and I removed them. Everything seemed to be ok but it popped up again. I removed firefox and I'm now only using Explorer scanned again and found nothing but I still get the redirects. I uninstalled rogers virus protection and installed Avira scanned but same issue. One last note - I can see the malware in my program files "antimalware doctor" when I click on the start button but any scan doesn't see it.
I followed the forums 8 steps to remove malware and the files are pasted.
Any help would be much appreciated.
***Malwarebytes Anti-Malware log***
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4486
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
26/08/2010 6:47:55 PM
mbam-log-2010-08-26 (18-47-55).txt
Scan type: Quick scan
Objects scanned: 143856
Time elapsed: 10 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
***GMER log***
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-27 00:11:10
Windows 5.1.2600 Service Pack 3
Running: 3g97iegn.exe; Driver: C:\DOCUME~1\Karina\LOCALS~1\Temp\uxtdipob.sys
---- System - GMER 1.0.15 ----
SSDT F7C423C6 ZwCreateKey
SSDT F7C423BC ZwCreateThread
SSDT F7C423CB ZwDeleteKey
SSDT F7C423D5 ZwDeleteValueKey
SSDT F7C423DA ZwLoadKey
SSDT F7C423A8 ZwOpenProcess
SSDT F7C423AD ZwOpenThread
SSDT F7C423E4 ZwReplaceKey
SSDT F7C423DF ZwRestoreKey
SSDT F7C423D0 ZwSetValueKey
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\Drivers\OA012Afx.sys entry point in "init" section [0xA95D9D60]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[1276] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\wuauclt.exe[1276] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\wuauclt.exe[1276] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
.text C:\WINDOWS\System32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1356] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1356] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1356] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1356] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\SearchIndexer.exe[1444] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----
I'm hoping someone can help me with my issue.
I got malware on my computer almost a week ago and have been trying various methods for days to get it off. I use firefox and when I click on links I'm redirected to ad sights.
I turned off system restore, scanned with roger's virus protection and malwarebytes anti-malware which found some things and I removed them. Everything seemed to be ok but it popped up again. I removed firefox and I'm now only using Explorer scanned again and found nothing but I still get the redirects. I uninstalled rogers virus protection and installed Avira scanned but same issue. One last note - I can see the malware in my program files "antimalware doctor" when I click on the start button but any scan doesn't see it.
I followed the forums 8 steps to remove malware and the files are pasted.
Any help would be much appreciated.
***Malwarebytes Anti-Malware log***
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4486
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
26/08/2010 6:47:55 PM
mbam-log-2010-08-26 (18-47-55).txt
Scan type: Quick scan
Objects scanned: 143856
Time elapsed: 10 minute(s), 13 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
***GMER log***
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-27 00:11:10
Windows 5.1.2600 Service Pack 3
Running: 3g97iegn.exe; Driver: C:\DOCUME~1\Karina\LOCALS~1\Temp\uxtdipob.sys
---- System - GMER 1.0.15 ----
SSDT F7C423C6 ZwCreateKey
SSDT F7C423BC ZwCreateThread
SSDT F7C423CB ZwDeleteKey
SSDT F7C423D5 ZwDeleteValueKey
SSDT F7C423DA ZwLoadKey
SSDT F7C423A8 ZwOpenProcess
SSDT F7C423AD ZwOpenThread
SSDT F7C423E4 ZwReplaceKey
SSDT F7C423DF ZwRestoreKey
SSDT F7C423D0 ZwSetValueKey
---- Kernel code sections - GMER 1.0.15 ----
init C:\WINDOWS\system32\Drivers\OA012Afx.sys entry point in "init" section [0xA95D9D60]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[216] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[216] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[1276] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\wuauclt.exe[1276] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\wuauclt.exe[1276] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C
.text C:\WINDOWS\System32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1356] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1356] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1356] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0088000A
.text C:\WINDOWS\System32\svchost.exe[1356] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\SearchIndexer.exe[1444] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
---- EOF - GMER 1.0.15 ----