Dear All,
For about 8-10 days, I'm having these problems with my laptop (32 bit Windows 7):
When I start up my laptop after shutting it down entirely, all seems fine; google loads quickly. Then, from between 30-120 minutes after startup, things start going bad. First, google redirects (especially from links I try access after googling 'anti virus' or similar). Then, quite rapidly afterward, google (in any country/version) won't load at all, and neither will bing or yahoo.
I have Sophos anti-virus installed, and ran a full check, with nothing found. I installed MalWare & did a quick scan, that found nothing:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.01.02
Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Hansen :: FADING [administrator]
01-Feb-12 12:05:52
mbam-log-2012-02-01 (12-05-52).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199661
Time elapsed: 12 minute(s), 7 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
--------------------------------
Following the advice on your 5-step guide, I then ran gmer, with the following log as result:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 16:08:46
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
Running: vtdn6o4v.exe; Driver: C:\Users\Hansen\AppData\Local\Temp\awldypod.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8307A5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8309F092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwResumeThread 832A953E 1 Byte [CC] {INT 3 }
.text iaStor.sys 83E5A8C6 1 Byte [CC] {INT 3 }
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\Explorer.EXE[1972] kernel32.dll!CopyFileExW 765707DB 7 Bytes JMP 6FA075A0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\Windows\Explorer.EXE[1972] kernel32.dll!MoveFileWithProgressW 7657BE8C 5 Bytes JMP 6FA07460 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\Windows\Explorer.EXE[1972] ole32.dll!CoCreateInstance 7739590C 8 Bytes JMP 6FA07860 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:436] 88D12161
Thread System [4:504] 8AB78C30
------------------------
After this, I saved the log above, as the system seemed to be finished - and got a message that it wasn't finished yet, so I re-ran/continued (?) the scan, and the following short log was created:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-31 16:10:02
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
Running: vtdn6o4v.exe; Driver: C:\Users\Hansen\AppData\Local\Temp\awldypod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:436] 88D12161
Thread System [4:504] 8AB78C30
---- EOF - GMER 1.0.15 ----
------------------------------
Please help; any advice much appreciated!
Cheers,
Dennis
For about 8-10 days, I'm having these problems with my laptop (32 bit Windows 7):
When I start up my laptop after shutting it down entirely, all seems fine; google loads quickly. Then, from between 30-120 minutes after startup, things start going bad. First, google redirects (especially from links I try access after googling 'anti virus' or similar). Then, quite rapidly afterward, google (in any country/version) won't load at all, and neither will bing or yahoo.
I have Sophos anti-virus installed, and ran a full check, with nothing found. I installed MalWare & did a quick scan, that found nothing:
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org
Database version: v2012.02.01.02
Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
Hansen :: FADING [administrator]
01-Feb-12 12:05:52
mbam-log-2012-02-01 (12-05-52).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 199661
Time elapsed: 12 minute(s), 7 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
--------------------------------
Following the advice on your 5-step guide, I then ran gmer, with the following log as result:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-31 16:08:46
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
Running: vtdn6o4v.exe; Driver: C:\Users\Hansen\AppData\Local\Temp\awldypod.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8307A5D9 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8309F092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwResumeThread 832A953E 1 Byte [CC] {INT 3 }
.text iaStor.sys 83E5A8C6 1 Byte [CC] {INT 3 }
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\Explorer.EXE[1972] kernel32.dll!CopyFileExW 765707DB 7 Bytes JMP 6FA075A0 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\Windows\Explorer.EXE[1972] kernel32.dll!MoveFileWithProgressW 7657BE8C 5 Bytes JMP 6FA07460 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
.text C:\Windows\Explorer.EXE[1972] ole32.dll!CoCreateInstance 7739590C 8 Bytes JMP 6FA07860 C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL (Sophos Buffer Overrun Protection/Sophos Plc)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2680] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75C45E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:436] 88D12161
Thread System [4:504] 8AB78C30
------------------------
After this, I saved the log above, as the system seemed to be finished - and got a message that it wasn't finished yet, so I re-ran/continued (?) the scan, and the following short log was created:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-01-31 16:10:02
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.GJ00
Running: vtdn6o4v.exe; Driver: C:\Users\Hansen\AppData\Local\Temp\awldypod.sys
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
---- Threads - GMER 1.0.15 ----
Thread System [4:436] 88D12161
Thread System [4:504] 8AB78C30
---- EOF - GMER 1.0.15 ----
------------------------------
Please help; any advice much appreciated!
Cheers,
Dennis