It looks like I'm one of many that have caught the redirecting problem. AVG Free 9.0 detected a trojan a few days ago and put it in the vault and then Spybot S&D alerted me to attempted registry changes by "Lrudozahuyur" and "Chejepuxek", which I blacklisted. I started getting bombarded with notices of the changes being blocked so I ran Malwarebytes, which detected and deleted problems. The registry change attempts stopped. However, I'm still getting a ton of redirects, and AVG, Spybot, Ad-aware, and Malwarebytes all come up clean.
So I've come to you guys for help. I did the 8 steps. GMER crashed my computer twice so I ended up running it in safe mode.
Thank you,
Eulie
Here are my logs, the text files are attached:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4227
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
29/06/2010 10:20:29 PM
mbam-log-2010-06-29 (22-20-29).txt
Scan type: Quick scan
Objects scanned: 131312
Time elapsed: 7 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-29 23:08:02
Windows 6.0.6002 Service Pack 2
Running: yog98guo.exe; Driver: C:\Users\Allison\AppData\Local\Temp\ugrdqpow.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\Windows\system32\drivers\nvstor32.sys entry point in ".rsrc" section [0x807F1014]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 774B4D34 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtWriteVirtualMemory 774B5674 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[888] ntdll.dll!KiUserExceptionDispatcher 774B5DC8 5 Bytes JMP 0011000A
.text C:\Windows\system32\svchost.exe[888] ole32.dll!CoCreateInstance 771C9EA6 5 Bytes JMP 0081000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!NtProtectVirtualMemory 774B4D34 5 Bytes JMP 0025000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!NtWriteVirtualMemory 774B5674 5 Bytes JMP 0026000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!KiUserExceptionDispatcher 774B5DC8 5 Bytes JMP 0024000A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7424A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74228395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [741FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7427CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7421C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [741E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device -> \Driver\nvstor32 \Device\Harddisk0\DR0 854B4EC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d8595
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d8595@001cef2f36d1 0xA9 0xBD 0x64 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002760d8595 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002760d8595@001cef2f36d1 0xA9 0xBD 0x64 0xF1 ...
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\nvstor32.sys suspicious modification
---- EOF - GMER 1.0.15 ----
So I've come to you guys for help. I did the 8 steps. GMER crashed my computer twice so I ended up running it in safe mode.
Thank you,
Eulie
Here are my logs, the text files are attached:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4227
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005
29/06/2010 10:20:29 PM
mbam-log-2010-06-29 (22-20-29).txt
Scan type: Quick scan
Objects scanned: 131312
Time elapsed: 7 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-29 23:08:02
Windows 6.0.6002 Service Pack 2
Running: yog98guo.exe; Driver: C:\Users\Allison\AppData\Local\Temp\ugrdqpow.sys
---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\Windows\system32\drivers\nvstor32.sys entry point in ".rsrc" section [0x807F1014]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtProtectVirtualMemory 774B4D34 5 Bytes JMP 0021000A
.text C:\Windows\system32\svchost.exe[888] ntdll.dll!NtWriteVirtualMemory 774B5674 5 Bytes JMP 0022000A
.text C:\Windows\system32\svchost.exe[888] ntdll.dll!KiUserExceptionDispatcher 774B5DC8 5 Bytes JMP 0011000A
.text C:\Windows\system32\svchost.exe[888] ole32.dll!CoCreateInstance 771C9EA6 5 Bytes JMP 0081000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!NtProtectVirtualMemory 774B4D34 5 Bytes JMP 0025000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!NtWriteVirtualMemory 774B5674 5 Bytes JMP 0026000A
.text C:\Windows\Explorer.EXE[1192] ntdll.dll!KiUserExceptionDispatcher 774B5DC8 5 Bytes JMP 0024000A
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741F7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7424A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [741FBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741EF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [741F75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [741EE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74228395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [741FDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741EFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [741EFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [741E71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7427CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7421C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741ED968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [741E6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741E687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741F2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
Device -> \Driver\nvstor32 \Device\Harddisk0\DR0 854B4EC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d8595
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002760d8595@001cef2f36d1 0xA9 0xBD 0x64 0xF1 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002760d8595 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0002760d8595@001cef2f36d1 0xA9 0xBD 0x64 0xF1 ...
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\nvstor32.sys suspicious modification
---- EOF - GMER 1.0.15 ----