1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Virus/malware removal - Browser hijacked

Discussion in 'Virus & Other Malware Removal' started by rauffenburg, Feb 17, 2013.

Thread Status:
Not open for further replies.
Advertisement
  1. rauffenburg

    rauffenburg Thread Starter

    Joined:
    Feb 17, 2013
    Messages:
    4
    Hi everyone,

    I suspect that the bowser (Firefox 18.0.2) on my dad's computer has been hijacked by some kind of trojan/virus. When clicking on a link on google, the link sometimes gets redirected to pages such as:

    funnyhumorshow.com
    secure.tlbsearch.com
    ihavenet.com

    And sometimes it also tries to redirect to a page which is apparently blacklisted and has the IP adress 109.206.160.232. I then get the Firefox warning for an reported attack page and it blocks the redirect.

    The system running is Windows XP SP3. I'll add the log files of hijackthis / DDS / GMER below.

    Also Avira AntiVir found the following Virus/Trojan, yet removing it didn't solve the issue: EXP/Dldr.Java.O.

    Thanks for any ideas!
     
  2. rauffenburg

    rauffenburg Thread Starter

    Joined:
    Feb 17, 2013
    Messages:
    4
    HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 16:21:18, on 17.02.2013
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Programme\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    C:\Programme\Notebook Hardware Control\nhc.exe
    C:\Programme\Avira\AntiVir Desktop\avgnt.exe
    C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Avira\AntiVir Desktop\avguard.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Bonjour\mDNSResponder.exe
    C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Programme\Java\jre6\bin\jqs.exe
    C:\DOKUME~1\Gerd\LOKALE~1\Temp\RtkBtMnt.exe
    C:\Programme\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Programme\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Programme\Mozilla Firefox\plugin-container.exe
    C:\Dokumente und Einstellungen\Gerd\Eigene Dateien\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winfuture.de
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programme\Outlook Express\msimn.exe"
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: TerraTec Home Cinema - {AD6E6555-FB2C-47D4-8339-3E2965509877} - C:\PROGRA~1\TerraTec\TERRAT~1\THCDES~1.DLL
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\System32\igfxpers.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [BroadcomWireless] C:\Programme\Broadcom\Wireless\Utility\WlanUtil.exe
    O4 - HKLM\..\Run: [SynTPStart] C:\Programme\Synaptics\SynTP\SynTPStart.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [AzMixerSel] C:\Programme\Realtek\InstallShield\AzMixerSel.exe
    O4 - HKLM\..\Run: [NotebookHardwareControl] "C:\Programme\Notebook Hardware Control\nhc.exe" -quiet
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Programme\Gemeinsame Dateien\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Programme\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKALER DIENST')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETZWERKDIENST')
    O4 - HKUS\S-1-5-21-1708537768-1214440339-839522115-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Andreas')
    O4 - HKUS\S-1-5-21-1708537768-1214440339-839522115-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Elias')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-21-1708537768-1214440339-839522115-1004 Startup: OneNote 2007 Bildschirmausschnitt- und Startprogramm.lnk = C:\Programme\Microsoft Office\Office12\ONENOTEM.EXE (User 'Andreas')
    O4 - Global Startup: BTTray.lnk = ?
    O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1203283008218
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
    O23 - Service: Avira Planer (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Programme\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira Echtzeit Scanner (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Programme\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Dienst "Bonjour" (Bonjour Service) - Apple Inc. - C:\Programme\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Programme\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

    --
    End of file - 7951 bytes
     
  3. rauffenburg

    rauffenburg Thread Starter

    Joined:
    Feb 17, 2013
    Messages:
    4
    DDS log:

    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_39
    Run by Gerd at 16:23:48 on 2013-02-17
    Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.502.51 [GMT 1:00]
    .
    AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    ============== Running Processes ================
    .
    C:\Programme\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Programme\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\System32\igfxpers.exe
    C:\Programme\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\WINDOWS\System32\igfxsrvc.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Programme\Synaptics\SynTP\SynTPEnh.exe
    C:\Programme\Notebook Hardware Control\nhc.exe
    C:\Programme\Avira\AntiVir Desktop\avgnt.exe
    C:\Programme\Gemeinsame Dateien\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Programme\Avira\AntiVir Desktop\avguard.exe
    C:\Programme\Messenger\msmsgs.exe
    C:\Programme\Bonjour\mDNSResponder.exe
    C:\Programme\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Programme\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Programme\Java\jre6\bin\jqs.exe
    C:\DOKUME~1\Gerd\LOKALE~1\Temp\RtkBtMnt.exe
    C:\Programme\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\WINDOWS\System32\alg.exe
    C:\Programme\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Programme\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\WINDOWS\System32\svchost.exe -k LocalService
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.winfuture.de
    uInternet Connection Wizard,ShellNext = "c:\programme\outlook express\msimn.exe"
    BHO: Adobe PDF Reader: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\programme\gemeinsame dateien\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\programme\java\jre6\bin\ssv.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\programme\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\programme\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: TerraTec Home Cinema: {AD6E6555-FB2C-47D4-8339-3E2965509877} - c:\programme\terratec\terratec home cinema\ThcDeskBand.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\programme\messenger\msmsgs.exe" /background
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] "c:\programme\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [BroadcomWireless] c:\programme\broadcom\wireless\utility\WlanUtil.exe
    mRun: [SynTPStart] c:\programme\synaptics\syntp\SynTPStart.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [AzMixerSel] c:\programme\realtek\installshield\AzMixerSel.exe
    mRun: [NotebookHardwareControl] "c:\programme\notebook hardware control\nhc.exe" -quiet
    mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\programme\gemeinsame dateien\adobe\arm\1.0\AdobeARM.exe"
    mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
    mRun: [SunJavaUpdateSched] "c:\programme\gemeinsame dateien\java\java update\jusched.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\bttray.lnk - c:\programme\widcomm\bluetooth software\BTTray.exe
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
    mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    IE: Nach Microsoft E&xel exportieren - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\programme\microsoft office\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203283008218
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
    TCP: NameServer = 192.168.0.1
    TCP: Interfaces\{3886EA2B-D260-4AEC-BCCF-B60A805876AB} : DHCPNameServer = 192.168.0.1
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\dokumente und einstellungen\gerd\anwendungsdaten\mozilla\firefox\profiles\6jvf8c5e.default\
    FF - plugin: c:\programme\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\programme\microsoft\office live\npOLW.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_149.dll
    FF - plugin: c:\windows\system32\npdeployJava1.dll
    FF - plugin: c:\windows\system32\npptools.dll
    FF - ExtSQL: 2013-02-15 18:50; {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}; c:\programme\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}
    FF - ExtSQL: !HIDDEN! 2009-08-09 00:13; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-4-26 36000]
    R2 AntiVirSchedulerService;Avira Planer;c:\programme\avira\antivir desktop\sched.exe [2012-4-26 86224]
    R2 AntiVirService;Avira Echtzeit Scanner;c:\programme\avira\antivir desktop\avguard.exe [2012-4-26 110032]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-28 83392]
    R3 RTL2832U_IRHID;Cinergy T Stick HID;c:\windows\system32\drivers\RTL2832U_IRHID.sys [2012-5-7 43392]
    R3 RTL2832UBDA;Cinergy T Stick RC BDA service;c:\windows\system32\drivers\RTL2832UBDA.sys [2012-5-7 189184]
    R3 RTL2832UUSB;Cinergy T Stick RC USB service;c:\windows\system32\drivers\RTL2832UUSB.sys [2012-5-7 33536]
    .
    =============== Created Last 30 ================
    .
    2013-02-12 16:23:37 98304 --sha-r- c:\windows\system32\ddrawp.dll
    .
    ==================== Find3M ====================
    .
    2013-02-17 10:23:09 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
    2013-02-09 20:20:43 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2013-02-09 20:20:43 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
    2013-01-26 03:55:37 552448 ----a-w- c:\windows\system32\oleaut32.dll
    2013-01-15 15:56:10 477616 ----a-w- c:\windows\system32\npdeployJava1.dll
    2013-01-15 15:56:07 473520 ----a-w- c:\windows\system32\deployJava1.dll
    2013-01-15 14:14:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2013-01-07 07:24:26 2195328 ----a-w- c:\windows\system32\ntoskrnl.exe
    2013-01-07 07:24:26 2072064 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2013-01-04 10:09:09 1867392 ----a-w- c:\windows\system32\win32k.sys
    2013-01-02 06:49:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax
    2013-01-02 06:49:00 1297920 ----a-w- c:\windows\system32\quartz.dll
    2012-12-26 20:06:42 916480 ----a-w- c:\windows\system32\wininet.dll
    2012-12-26 20:06:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2012-12-26 20:06:41 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2012-12-24 06:40:59 385024 ----a-w- c:\windows\system32\html.iec
    2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
    .
    ============= FINISH: 16:25:30,21 ===============
     
  4. rauffenburg

    rauffenburg Thread Starter

    Joined:
    Feb 17, 2013
    Messages:
    4
    GMER Log

    GMER 2.1.18952 - http://www.gmer.net
    Rootkit scan 2013-02-17 17:27:39
    Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.SB2O 74,53GB
    Running: e1r39yh2.exe; Driver: C:\DOKUME~1\Gerd\LOKALE~1\Temp\kwryapob.sys


    ---- System - GMER 2.1 ----

    SSDT F8BC0114 ZwClose
    SSDT F8BC00CE ZwCreateKey
    SSDT F8BC011E ZwCreateSection
    SSDT F8BC00C4 ZwCreateThread
    SSDT F8BC00D3 ZwDeleteKey
    SSDT F8BC00DD ZwDeleteValueKey
    SSDT F8BC010F ZwDuplicateObject
    SSDT F8BC00E2 ZwLoadKey
    SSDT F8BC00B0 ZwOpenProcess
    SSDT F8BC00B5 ZwOpenThread
    SSDT F8BC0137 ZwQueryValueKey
    SSDT F8BC00EC ZwReplaceKey
    SSDT F8BC0128 ZwRequestWaitReplyPort
    SSDT F8BC00E7 ZwRestoreKey
    SSDT F8BC0123 ZwSetContextThread
    SSDT F8BC012D ZwSetSecurityObject
    SSDT F8BC00D8 ZwSetValueKey
    SSDT F8BC0132 ZwSystemDebugControl
    SSDT F8BC00BF ZwTerminateProcess

    ---- Kernel code sections - GMER 2.1 ----

    ? C:\DOKUME~1\Gerd\LOKALE~1\Temp\mbr.sys Die Syntax f├╝r den Dateinamen, Verzeichnisnamen oder die Datentr├Ągerbezeichnung ist falsch. !

    ---- User code sections - GMER 2.1 ----

    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] ntdll.dll!LdrLoadDll 7C92632D 5 Bytes JMP 017F3C70 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01B46096 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01B46073 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 0181553C C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00FF9B64
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] USER32.dll!DrawTextExW 7E37B415 5 Bytes JMP 00FFB110
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] USER32.dll!DrawTextW 7E37D7E2 5 Bytes JMP 00FFAF4E
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 00FFABC4
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] USER32.dll!DrawTextA 7E38C702 5 Bytes JMP 00FFAE73
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] USER32.dll!DrawTextExA 7E38C739 5 Bytes JMP 00FFB029
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!TextOutW 77EF7EAC 5 Bytes JMP 00FFADA7
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!ExtTextOutW 77EF8086 5 Bytes JMP 00FFB2DB
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!SetDIBitsToDevice + 20A 77EF9E14 7 Bytes JMP 01B45FF4 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!TextOutA 77EFBA4F 5 Bytes JMP 00FFACDB
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!ExtTextOutA 77EFD3FA 5 Bytes JMP 00FFB1F7
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!GetGlyphIndicesA 77F1DFE3 5 Bytes JMP 00FFB69B
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] GDI32.dll!GetGlyphIndicesW 77F32604 5 Bytes JMP 00FFB768
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!getaddrinfo 71A12A6F 5 Bytes JMP 00FF9688
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!closesocket 71A13E2B 5 Bytes JMP 00FFAB0A
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!send 71A14C27 5 Bytes JMP 00FFA63E
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!WSARecv 71A14CB5 5 Bytes JMP 00FFA88D
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!gethostbyname 71A15355 5 Bytes JMP 00FF95C7
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!recv 71A1676F 5 Bytes JMP 00FFA6F7
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!WSASend 71A168FA 5 Bytes JMP 00FFA7B9
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WS2_32.dll!WSAAsyncGetHostByName 71A1E99D 5 Bytes JMP 00FF9A85
    .text C:\Programme\Mozilla Firefox\firefox.exe[2636] WININET.dll!InternetCrackUrlW 408B40C0 5 Bytes JMP 00FFBA2E
    .text C:\Programme\Mozilla Firefox\plugin-container.exe[3388] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1044B80C C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\Programme\Mozilla Firefox\plugin-container.exe[3388] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 1044BDF3 C:\Programme\Mozilla Firefox\xul.dll (Mozilla Foundation)

    ---- Devices - GMER 2.1 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 2.1 ----
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1089896

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice