I uploaded the file for you here: http://www.uploadbigfiles.net/downlo...le=977gmer.zip
See, if you can get it.
Printable View
I uploaded the file for you here: http://www.uploadbigfiles.net/downlo...le=977gmer.zip
See, if you can get it.
it worked...i am scanning now...
Cool :)
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-06 21:21:12
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF30E8618]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF30E84D4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF30E89B2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF30E80AC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF30E85AE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF30E7FEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF30E8050]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF30E86CE]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF30E868E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF30E880E]
Code E1970458 ZwEnumerateKey
Code E1970538 ZwFlushInstructionCache
Code F7DB1E0B pIofCallDriver
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 5 Bytes JMP E197045C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 805769EA 5 Bytes JMP E197053C
---- User code sections - GMER 1.0.14 ----
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] WININET.dll!HttpAddRequestHeadersA 7805FB35 5 Bytes JMP 00F0000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] WININET.dll!HttpAddRequestHeadersW 780CCF65 5 Bytes JMP 00F8000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00B3000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] WS2_32.dll!send 71AB428A 5 Bytes JMP 00B5000A
.text C:\Program Files\Internet Explorer\Iexplore.exe[1288] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00B4000A
.text C:\WINDOWS\Explorer.EXE[1776] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1776] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[1776] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C4000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2640] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00DD000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2640] WS2_32.dll!send 71AB428A 5 Bytes JMP 00DF000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2640] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00DE000A
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\services.exe[608] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[608] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Modules - GMER 1.0.14 ----
Module \systemroot\system32\drivers\TDSSserv.sys (*** hidden *** ) F7DB0000-F7DBC000 (49152 bytes)
---- Threads - GMER 1.0.14 ----
Thread 4:292 F7DB1D68
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\drivers\TDSSserv.sys (*** hidden *** ) [SYSTEM] TDSSserv <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid 5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@serf_once 1
---- EOF - GMER 1.0.14 ----
We got SOB!!
You have a rootkit.
Restart computer in Safe Mode, and delete TDSSserv.sys file from C:\WINDOWS\system32\drivers
If it gives you any problem with deleting, let me know.
still cant do "Safe Mode".....
OK. I forgot.
Access Task Manager, and see, if TDSSserv.sys process is running. If so, click on it, and click "End Process" button.
See, if you can delete TDSSserv.sys file in Normal Mode, then.
well.....
i searched for TDSSserv.sys and could not find it......
it isnt running as a process either....
Did you go to: C:\WINDOWS\system32\drivers folder?
In Windows Explorer>Tools>Folder Options>View tab, make sure, 1st item is checked, and the 2nd one unchecked:
http://209.85.48.8/228/109/upload/p4167613.gif
Now, look again in the above folder.
its not there...
i searched for it again....
OK. Run GMER again.
When scan is completed, right click on following line:
Service C:\WINDOWS\system32\drivers\TDSSserv.sys (*** hidden *** ) [SYSTEM] TDSSserv <-- ROOTKIT !!!
and click Delete the service, and answer YES to all questions.
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-06 22:23:47
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF3164618] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF31644D4] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF31649B2] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF31640AC] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF31645AE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF3163FEC] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF3164050] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF31646CE] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF316468E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF316480E] <-- ROOTKIT !!!
Code E19171F0 ZwEnumerateKey
Code E19172D0 ZwFlushInstructionCache
Code F7898E0B pIofCallDriver
---- Kernel code sections - GMER 1.0.14 ----
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 5 Bytes JMP E19171F4
PAGE ntoskrnl.exe!ZwFlushInstructionCache 805769EA 5 Bytes JMP E19172D4
---- User code sections - GMER 1.0.14 ----
.text C:\WINDOWS\Explorer.EXE[1720] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1720] WS2_32.dll!send 71AB428A 5 Bytes JMP 00C5000A
.text C:\WINDOWS\Explorer.EXE[1720] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00C4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A1667 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A15E8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A162C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A1574 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A15AE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A16A2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00D4000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] WS2_32.dll!send 71AB428A 5 Bytes JMP 00D6000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2276] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00D5000A
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\WINDOWS\system32\services.exe[608] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[608] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000
---- Devices - GMER 1.0.14 ----
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
---- Modules - GMER 1.0.14 ----
Module \systemroot\system32\drivers\TDSSserv.sys (*** hidden *** ) F7897000-F78A3000 (49152 bytes)
---- Threads - GMER 1.0.14 ----
Thread 4:292 F7898D68
---- Services - GMER 1.0.14 ----
Service C:\WINDOWS\system32\drivers\TDSSserv.sys (*** hidden *** ) [SYSTEM] TDSSserv <-- ROOTKIT !!!
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\TDSSserv.sys
Reg HKLM\SYSTEM\ControlSet003\Control\SafeBoot\Network\TDSSserv.sys@ driver
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSserv.sys
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@affid 5
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@subid 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@control 0x09 0x19 0x1F 0x16 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@prov 10010
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@googleadserver pagead2.googlesyndication.com
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@flagged 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssData@serf_once 1
---- EOF - GMER 1.0.14 ----
ok...i did the deletion of the TDSS.sys on gmer....
now what....
have I said thank you yet....
thanks for all of this help....
Restart computer, and see, if redirection still happens.
Broni - you are amazing.....IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I cant thank you enough for your patience and persistence!!!!!!!!!!!!!!!!!!!!!!
no more redirection on IE or on Firefox......
Now........
I have a lot of new programs that i had to install to squeeze out this little critter.....
what programs can i remove and how can i do that.....
and also - how did i get this rootkit....and what is a rootkit????
thanks a ton for your help....