Help! Can't remove Trojan virus

June 11, 2011 at 22:15:20
Specs: Windows 7
Threat detected!

File name: c:\windows\system32\drivers\volsnap.sys

Threat name: Trojan horse Generic3_c.BNQG

Keeps popping up and I can't get rid of it. Please help


See More: Help! Cant remove Trojan virus

Report •


#1
June 12, 2011 at 09:33:38
RICKY-D,

Please download GMER:
http://gmer.net/download.php
[Downloads a randomly named file. (Recommended)]

Disconnect from the Internet and close all running programs.

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver. Info:
http://www.bleepingcomputer.com/for...

Double-click on the randomly named GMER file (i.e. n7gmo46c.exe)
Allow the gmer.sys driver to load...

GMER opens to the Rootkit/Malware tab and performs an automatic quick scan when first run. (Please do not use the computer while the scan is in progress.)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO

Now, click the >Scan< button.
If you see a rootkit warning window, click OK.

When the scan finishes, click 'Save...' button to save the scan results to your Desktop.
Save the file as >gmer.log<

>>Click the Copy button and Paste the results in your reply.<<

Note: Please, do not take action on any of the information on the GMER report!!!!

If you encounter any problems, try running GMER in Safe Mode:
http://www.computerhope.com/issues/...

If GMER crashes or keeps resulting in a BSODs, uncheck 'Devices' (on the right side) before scanning.


Next, download mbr.exe
http://www2.gmer.net/mbr/mbr.exe

Save the file to your Desktop.
Double-click >mbr.exe< and follow the prompts.

When mbr.exe is done, it creates a log.
>>Also copy and paste contents of the mbr.exe log in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

#2
June 13, 2011 at 00:15:10
GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-13 17:10:45
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.0006
Running: enf5t75p.exe; Driver: C:\Users\RIC-A-~1\AppData\Local\Temp\uglyauoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9C969780]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9C969830]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9C9698D0]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9C969970]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83052599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83076F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 8307E9F8 4 Bytes [80, 97, 96, 9C]
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 8307ECC8 8 Bytes [30, 98, 96, 9C, D0, 98, 96, ...] {XOR [EAX-0x672f636a], BL; XCHG ESI, EAX; PUSHF }
.text ntkrnlpa.exe!RtlSidHashLookup + 82C 8307ED3C 4 Bytes [70, 99, 96, 9C] {JO 0xffffffffffffff9b; XCHG ESI, EAX; PUSHF }
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92A24000, 0x2D5046, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!CreateWindowExW 759D0E51 5 Bytes JMP 6DF6818F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!DialogBoxIndirectParamW 759F4AA7 5 Bytes JMP 6E08FE70 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!DialogBoxParamW 759F564A 5 Bytes JMP 6DE84BA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!DialogBoxParamA 75A0CF6A 5 Bytes JMP 6E08FE0D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!DialogBoxIndirectParamA 75A0D29C 5 Bytes JMP 6E08FED3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!MessageBoxIndirectA 75A1E8C9 5 Bytes JMP 6E08FDA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!MessageBoxIndirectW 75A1E9C3 5 Bytes JMP 6E08FD37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!MessageBoxExA 75A1EA29 5 Bytes JMP 6E08FCD5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] USER32.dll!MessageBoxExW 75A1EA4D 5 Bytes JMP 6E08FC73 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WININET.dll!HttpAddRequestHeadersA 76FE9ACA 5 Bytes JMP 003A6B70
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WININET.dll!HttpAddRequestHeadersW 76FF0850 5 Bytes JMP 003A6D70
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WS2_32.dll!closesocket 76E63BED 5 Bytes JMP 0060000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WS2_32.dll!recv 76E647DF 5 Bytes JMP 005A000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WS2_32.dll!connect 76E648BE 5 Bytes JMP 005B000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WS2_32.dll!getaddrinfo 76E66737 5 Bytes JMP 0063000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WS2_32.dll!send 76E6C4C8 5 Bytes JMP 0061000A
.text C:\Program Files\Internet Explorer\iexplore.exe[2280] WS2_32.dll!gethostbyname 76E77133 5 Bytes JMP 0062000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!CreateDialogParamW 759C9BFF 5 Bytes JMP 10134D20 C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!UnhookWindowsHookEx 759CCC7B 5 Bytes JMP 6DF783A2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!CallNextHookEx 759CCC8F 5 Bytes JMP 6DF59D8C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!CreateWindowExW 759D0E51 5 Bytes JMP 6DF6818F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!SetWindowsHookExW 759D210A 5 Bytes JMP 6DF14643 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!DialogBoxIndirectParamW 759F4AA7 5 Bytes JMP 6E08FE70 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!TrackPopupMenu 759F4B3B 5 Bytes JMP 101344A0 C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!DialogBoxParamW 759F564A 5 Bytes JMP 10134EA0 C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!TrackPopupMenuEx 759F5F72 5 Bytes JMP 10134600 C:\Program Files\ConduitEngine\ConduitEngine.dll (Conduit Toolbar/Conduit Ltd.)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!DialogBoxParamA 75A0CF6A 5 Bytes JMP 6E08FE0D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!DialogBoxIndirectParamA 75A0D29C 5 Bytes JMP 6E08FED3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!MessageBoxIndirectA 75A1E8C9 5 Bytes JMP 6E08FDA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!MessageBoxIndirectW 75A1E9C3 5 Bytes JMP 6E08FD37 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!MessageBoxExA 75A1EA29 5 Bytes JMP 6E08FCD5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] USER32.dll!MessageBoxExW 75A1EA4D 5 Bytes JMP 6E08FC73 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] ole32.dll!OleLoadFromStream 76C55BF6 5 Bytes JMP 6E0901C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] ole32.dll!CoCreateInstance 76CA590C 5 Bytes JMP 6DF68C7D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] wininet.dll!HttpAddRequestHeadersA 76FE9ACA 5 Bytes JMP 01BC6B70
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] wininet.dll!HttpAddRequestHeadersW 76FF0850 5 Bytes JMP 01BC6D70
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!closesocket 76E63BED 5 Bytes JMP 6D88EEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!socket 76E63F00 5 Bytes JMP 6D88E59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!recv 76E647DF 5 Bytes JMP 6D88F1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!connect 76E648BE 5 Bytes JMP 6D88E62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!getaddrinfo 76E66737 5 Bytes JMP 6D88E71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!send 76E6C4C8 5 Bytes JMP 6D88E9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4812] WS2_32.dll!gethostbyname 76E77133 5 Bytes JMP 01D2000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000073 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Threads - GMER 1.0.15 ----

Thread System [4:292] 8793FE7A
Thread System [4:296] 87942008
Thread System [4:5584] 9C99AF2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6b2af2e9
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00271331889c
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6b2af2e9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00271331889c (not active ControlSet)

---- EOF - GMER 1.0.15 ----


Report •

#3
June 13, 2011 at 00:19:48
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST950042 rev.0006 -> Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Report •

Related Solutions

#4
June 13, 2011 at 02:18:57
What program keeps giving you the warning you originally posted? If it is your AntiVirus, which AV is it?

Also, please download TDSSKiller
http://support.kaspersky.com/downlo...
Save it to the Desktop.

Double-click* on TDSSKiller.exe to run the tool.
(*Vista/Windows 7 users, right-click the file, and select: Run As Administrator)

Click the Start Scan button.

Do not use the computer during the scan

If the scan completes with nothing found, click Close to exit.

When the scan finishes it displays a Scan results screen stating whether or not an infection was found on your computer.

To remove the infection, click on the Continue button.
If it does not say Cure on the results screen, leave it at the default action of Skip, and press the Continue button.

Do not change to Delete or Quarantine as it may delete infected files that are required for Windows to operate properly.

Reboot to finish the cleaning process.

If no reboot is requested, click on Report.
A log file should appear.

A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) is created and saved to the root directory (usually Local Disk C:).

>>Please provide the contents of TDSSKiller in your reply.<<

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Ask Question