Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Virus redirecting all of my pages.

This is a discussion on Virus redirecting all of my pages. within the Resolved HJT Threads forums, part of the Tech Support Forum category. My computer is completely screwed! First no sound now this! Almost every time I try to do something on the


 
 
Thread Tools Search this Thread
Old 01-22-2011, 11:19 AM   #1
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


My computer is completely screwed!

First no sound now this! Almost every time I try to do something on the internet my page is getting redirected to something else!
I always have to rush to click the X button to stop the page from loading. But I want a permanent fix!
Please help.
TheresMoreToMe is offline  
Sponsored Links
Advertisement
 
Old 01-22-2011, 11:35 AM   #2
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi,

Please do the following:


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
CatByte is offline  
Old 01-22-2011, 12:48 PM   #3
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


DDS (Ver_10-12-12.02) - NTFSx86
Run by Guest at 14:40:05.82 on Sat 01/22/2011
Internet Explorer: 6.0.2900.2180

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*Yahoo!
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*Yahoo! SearchBar Home Page
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof2.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\18.5.0.125\ips\IPSBHO.DLL
BHO: QWBandToolBar: {8270927a-fb8b-4647-8e21-c9459bb2610d} - c:\program files\f1f013333eca4ce2999ee8521b81370b\QWS.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Softonic-Eng7 Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - c:\program files\softonic-eng7\tbSof2.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: QWBandToolBar: {8270927a-fb8b-4647-8e21-c9459bb2610d} - c:\program files\f1f013333eca4ce2999ee8521b81370b\QWS.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {61539ECD-CC67-4437-A03C-9AACCBD14326} - No File
TB: {CE18769B-C7FA-42D2-860D-17C4662C70AD} - No File
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [Logitech Vid] "c:\program files\logitech\logitech vid\vid.exe" -bootmode
uRun: [Csiyaxodemad] rundll32.exe "c:\windows\agoduzuvifukifur.dll",Startup
uRun: [Google Update] "c:\documents and settings\guest\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [srmclean] c:\cpqs\scom\srmclean.exe
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [LTCM Client] c:\program files\ltcm client\ltcmClient.exe /startup
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Csiyaxodemad] rundll32.exe "c:\windows\agoduzuvifukifur.dll",Startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Norton Online Backup] c:\program files\symantec\norton online backup\NOBuClient.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
Trusted Zone: qword.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 93.188.162.244,93.188.160.54
TCP: {904D97E5-D0FC-4325-8A19-1863A421CC52} = 93.188.162.244,93.188.160.54
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2011-01-22 19:10:04 -------- d-----w- c:\docume~1\guest\locals~1\applic~1\ConduitEngine
2011-01-21 20:07:18 114176 ----a-w- c:\windows\system32\PCWizard.cpl
2011-01-21 2017 -------- d-----w- c:\program files\CPUID
2011-01-21 04:40:53 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-01-21 04:40:53 -------- d-----w- c:\program files\ConduitEngine
2011-01-21 02:17:58 -------- d-----w- c:\docume~1\guest\locals~1\applic~1\Google
2011-01-20 23:56:45 452096 ----a-w- c:\windows\system32\fxsapi.dll
2011-01-09 03:57:27 -------- d-----w- c:\docume~1\guest\applic~1\PriceGong
2011-01-06 22:45:28 0 ----a-w- c:\windows\umagajimonobap.dll
2011-01-06 22:31:29 0 ----a-w- c:\windows\icukalib.dll
2011-01-04 20:11:28 0 ----a-w- c:\windows\azudarib.dll
2010-12-29 14:02:59 0 ----a-w- c:\windows\ohakokup.dll
2010-12-29 11:56:50 0 ----a-w- c:\windows\uwawemow.dll
2010-12-29 09:53:36 0 ----a-w- c:\windows\akelajoq.dll
2010-12-29 06:39:27 0 ----a-w- c:\windows\eyipititefeda.dll
2010-12-29 04:21:46 0 ----a-w- c:\windows\iwemifix.dll
2010-12-29 01:54:22 0 ----a-w- c:\windows\ejihukuru.dll
2010-12-28 23:51:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Leapfrog
2010-12-28 23:51:33 -------- d-----w- c:\program files\LeapFrog
2010-12-28 23:51:08 0 ----a-w- c:\windows\epegozux.dll
2010-12-28 21:50:05 0 ----a-w- c:\windows\uxuzagovag.dll
2010-12-28 20:05:15 0 ----a-w- c:\windows\eqoxuqotolixaqa.dll

==================== Find3M ====================

2010-12-23 01:49:01 0 ----a-w- c:\windows\udajijohapuhidon.dll
2010-12-22 23:36:45 0 ----a-w- c:\windows\acihubimudu.dll
2010-12-08 02:15:12 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-11-29 00:29:55 0 -c--a-w- c:\windows\Mtexegaqabihebaj.bin
2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

============= FINISH: 14:43:43.26 ===============














UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)


==== Disk Partitions =========================


==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Abacast Distributed Live
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.1
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATT-PRT22
Bonjour
Cakewalk Audio FX Pack 1
Cool Edit Pro 2.1
DivX Setup
Epson CreativeZone
EPSON NX410 Series Printer Uninstall
EPSON Scan
EPSON Web-To-Page
Facebook Plug-In
FrostWire 4.20.6
Google Chrome
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Software Update
IL Download Manager
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Interlok driver setup x32
iTunes
Java 2 Runtime Environment, SE v1.4.2_01
Java Auto Updater
Java(TM) 6 Update 23
Logitech Webcam Software
Logitech Webcam Software Driver Package
LTCM Client
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works 7.0
Mozilla Firefox (3.6.10)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Norton AntiVirus
Norton Online Backup
Norton PC Checkup
Norton Security Scan
PC Wizard 2010.1.96
PhotoFiltre
QuickTime
rgc:audio sfz+ DXi v1.01
rgc:audio sfz+ VSTi v1.01
rgcAudio Square I VSTi v1.2
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Softonic-Eng7 Toolbar
SoundMAX
Unity Web Player
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VC80CRTRedist - 8.0.50727.4053
Virtual DJ - Atomix Productions
Virtual DJ Home - Atomix Productions
VoipBuster
WebFldrs XP
Windows Driver Package - Leapfrog (Leapfrog-USBLAN) Net (09/10/2009 02.03.05.012)
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR archiver
Yahoo! Search Protection
Yahoo! Software Update

==== End Of File ===========================
TheresMoreToMe is offline  
Sponsored Links
Advertisement
 
Old 01-22-2011, 01:05 PM   #4
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


Quote:
Originally Posted by CatByte View Post
Hi,

Please do the following:


Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT


Download GMER Rootkit Scanner from here to your desktop. It will be a randomly named executable.
  • Double click the exe file.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan.


    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure the following are unchecked
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


I wasn't given the option to save anything to my desktop, as far as the GMER Rootkit Scanner. Also I wasn't given the option to "Double click the exe file." Is this ok or did I do something wrong?
TheresMoreToMe is offline  
Old 01-22-2011, 01:09 PM   #5
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


My photo doesn't look exactly like yours is this okay?


[IMG][/IMG]
TheresMoreToMe is offline  
Old 01-22-2011, 01:22 PM   #6
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



that's fine

please do the following:


Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
CatByte is offline  
Old 01-22-2011, 02:46 PM   #7
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


GMER 1.0.15.15530 - GMER - Rootkit Detector and Remover
Rootkit scan 2011-01-22 15:44:59
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST340015A rev.3.15
Running: uuckbzke.exe; Driver: C:\DOCUME~1\ANISHA~1\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT 81E06D88 ZwAlertResumeThread
SSDT 81E06E68 ZwAlertThread
SSDT 81E0A770 ZwAllocateVirtualMemory
SSDT 81E06530 ZwAssignProcessToJobObject
SSDT 81E3A930 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEFDAD720]
SSDT 81E06AD8 ZwCreateMutant
SSDT 81E06350 ZwCreateSymbolicLinkObject
SSDT 81DDC5D0 ZwCreateThread
SSDT 81E06610 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEFDAD9A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEFDADF00]
SSDT 81E09D90 ZwDuplicateObject
SSDT 81E0A5B0 ZwFreeVirtualMemory
SSDT 81E06BC8 ZwImpersonateAnonymousToken
SSDT 81E06CA8 ZwImpersonateThread
SSDT 82077050 ZwLoadDriver
SSDT 81E0A4B0 ZwMapViewOfSection
SSDT 81E069F8 ZwOpenEvent
SSDT 81E0AE90 ZwOpenProcess
SSDT 81E09CB0 ZwOpenProcessToken
SSDT 81E06838 ZwOpenSection
SSDT 81E09E80 ZwOpenThread
SSDT 81E06440 ZwProtectVirtualMemory
SSDT 81E06F48 ZwResumeThread
SSDT 81E0A200 ZwSetContextThread
SSDT 81E0A2E0 ZwSetInformationProcess
SSDT 81E066F0 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEFDAE150]
SSDT 81E06918 ZwSuspendProcess
SSDT 81E06008 ZwSuspendThread
SSDT 81DC5B18 ZwTerminateProcess
SSDT 81E0A120 ZwTerminateThread
SSDT 81E0A3D0 ZwUnmapViewOfSection
SSDT 81E0A6A0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF849B394]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4092] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4364] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Documents and Settings\Anisha Lanee\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[5968] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822D8AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822D8AEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 822D8AEA

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device \FileSystem\Fastfat \Fat ED228C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST340015A_______________________________3.15____#4c354b415031544e202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sectors 78165104 (+254): rootkit-like behavior;

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----
TheresMoreToMe is offline  
Old 01-22-2011, 02:47 PM   #8
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



great, thanks

Please run the ComboFix program now
CatByte is offline  
Old 01-22-2011, 03:08 PM   #9
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


Whenever I try to download it, it shows the loading bar then it closes my web browser and nothing happens after that..
TheresMoreToMe is offline  
Old 01-22-2011, 03:46 PM   #10
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi

are you able to use another machine to download it, then transfer it over via USB?

or try and save it with a different name

rename it to iexplore before you try saving it to your desktop

make certain all your security programs are disabled

you might try booting into safe mode with networking as well, see if you can download it in safemode.

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode with networking
  • Then press the Enter Key on your Keyboard
  • go into your usual account
CatByte is offline  
Old 01-22-2011, 04:11 PM   #11
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


Well that didn't help much either. I'll see if I can download it some place else..
TheresMoreToMe is offline  
Old 01-24-2011, 02:22 PM   #12
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


Luckily, I got the ComboFix program to work. Scanning right now so I will reply with the log when it's finished.
TheresMoreToMe is offline  
Old 01-24-2011, 03:21 PM   #13
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


The ComboFix automatically says log.txt when I goto save it. Do I change the name like I did before?

*Update*
I saved it as ComboFix.txt, I hope that was right..
TheresMoreToMe is offline  
Old 01-24-2011, 03:34 PM   #14
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


ComboFix 11-01-23.07 - Anisha Lanee 01/24/2011 16:18:12.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.503.242 [GMT -6:00]
Running from: c:\documents and settings\Anisha Lanee\My Documents\Downloads\ComboFix2017.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Anisha Lanee\Application Data\facemoods.com
c:\documents and settings\Anisha Lanee\Application Data\PriceGong
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Anisha Lanee\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Anisha Lanee\Local Settings\Temporary Internet Files\Softonic-Eng7_EN.exe
c:\documents and settings\Anisha Lanee\Local Settings\Temporary Internet Files\udRemove.exe
c:\documents and settings\Guest\Application Data\facemoods.com
c:\documents and settings\Guest\Application Data\PriceGong
c:\documents and settings\Guest\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Guest\Application Data\PriceGong\Data\z.xml
c:\documents and settings\macaroni\Application Data\facemoods.com
c:\documents and settings\macaroni\Application Data\PriceGong
c:\documents and settings\macaroni\Application Data\PriceGong\Data\1.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\a.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\b.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\c.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\d.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\e.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\f.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\g.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\h.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\i.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\J.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\k.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\l.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\m.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\n.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\o.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\p.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\q.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\r.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\s.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\t.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\u.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\v.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\w.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\x.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\y.xml
c:\documents and settings\macaroni\Application Data\PriceGong\Data\z.xml
c:\program files\F1F013333ECA4CE2999EE8521B81370B\QWS.dll
c:\windows\acihubimudu.dll
c:\windows\akelajoq.dll
c:\windows\azudarib.dll
c:\windows\ejihukuru.dll
c:\windows\epegozux.dll
c:\windows\eqoxuqotolixaqa.dll
c:\windows\eyipititefeda.dll
c:\windows\icukalib.dll
c:\windows\iwemifix.dll
c:\windows\ohakokup.dll
c:\windows\udajijohapuhidon.dll
c:\windows\umagajimonobap.dll
c:\windows\uwawemow.dll
c:\windows\uxuzagovag.dll

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-12-24 to 2011-01-24 )))))))))))))))))))))))))))))))
.

2011-01-24 21:17 . 2011-01-24 21:17 -------- d-----w- c:\windows\system32\NtmsData
2011-01-22 19:10 . 2011-01-22 19:10 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\ConduitEngine
2011-01-21 20:07 . 2010-08-22 19:48 114176 ----a-w- c:\windows\system32\PCWizard.cpl
2011-01-21 20:06 . 2011-01-21 20:06 -------- d-----w- c:\program files\CPUID
2011-01-21 19:30 . 2011-01-21 19:30 -------- d-----w- c:\documents and settings\Guest\Application Data\DivX
2011-01-21 04:40 . 2011-01-21 04:56 -------- d-----w- c:\documents and settings\Anisha Lanee\Local Settings\Application Data\ConduitEngine
2011-01-21 04:40 . 2011-01-21 04:40 -------- d-----w- c:\program files\ConduitEngine
2011-01-21 04:40 . 2011-01-21 04:40 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-01-21 02:17 . 2011-01-21 02:20 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Google
2011-01-21 01:50 . 2011-01-21 01:51 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Temp
2011-01-21 01:48 . 2011-01-21 01:57 -------- d-----w- c:\documents and settings\Sharon\Local Settings\Application Data\Google
2011-01-20 23:56 . 2004-08-04 12:00 452096 ----a-w- c:\windows\system32\fxsapi.dll
2010-12-29 00:11 . 2010-12-29 00:11 -------- d-----w- c:\program files\DIFX
2010-12-28 23:51 . 2010-12-28 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Leapfrog
2010-12-28 23:51 . 2011-01-16 17:14 -------- d-----w- c:\program files\LeapFrog

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-08 02:15 . 2010-12-08 02:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-08 02:15 . 2010-12-08 02:15 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-01 05:24 . 2010-12-09 20:19 368248 ----a-w- c:\windows\system32\drivers\symtdi.sys
2010-12-01 05:24 . 2010-12-09 20:19 368248 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symtdi.sys
2010-12-01 05:24 . 2010-12-09 20:19 295032 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symnets.sys
2010-12-01 05:23 . 2010-12-09 20:19 330360 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symtdiv.sys
2010-12-01 01:27 . 2010-10-09 14:26 0 -c--a-w- c:\documents and settings\Guest\Local Settings\Application Data\Mtexegaqabihebaj.bin
2010-11-23 04:08 . 2010-12-09 20:19 50168 ----a-w- c:\windows\system32\drivers\srtspx.sys
2010-11-23 04:08 . 2010-12-09 20:19 50168 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\srtspx.sys
2010-11-23 04:08 . 2010-12-09 20:19 509560 ----a-w- c:\windows\system32\drivers\srtsp.sys
2010-11-23 04:08 . 2010-12-09 20:19 509560 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\srtsp.sys
2010-11-18 02:59 . 2010-12-09 20:19 652336 ----a-w- c:\windows\system32\drivers\symefa.sys
2010-11-18 02:59 . 2010-12-09 20:19 652336 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\symefa.sys
2010-11-16 23:13 . 2010-11-16 23:13 664 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\d3d9caps.tmp
2010-11-16 01:45 . 2010-12-09 20:19 136312 ----a-w- c:\windows\system32\drivers\NAV\1205000.07D\ironx86.sys
2010-11-16 01:45 . 2010-12-09 20:19 136312 ----a-w- c:\windows\system32\drivers\ironx86.sys
2010-11-13 00:53 . 2010-07-13 22:24 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-12 22:34 . 2009-12-06 02:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]
2010-10-18 10:26 3908192 ----a-w- c:\program files\Softonic-Eng7\tbSof2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}"= "c:\program files\Softonic-Eng7\tbSof2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{414B6D9D-4A95-4E8D-B5B1-149DD2D93BB3}"= "c:\program files\Softonic-Eng7\tbSof2.dll" [2010-10-18 3908192]

[HKEY_CLASSES_ROOT\clsid\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Anisha Lanee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2011-01-21 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-24 36864]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-06 524800]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"LTCM Client"="c:\program files\LTCM Client\ltcmClient.exe" [2009-03-02 1583808]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-08-20 1164584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"Norton Online Backup"="c:\program files\Symantec\Norton Online Backup\NOBuClient.exe" [2010-06-08 968536]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Anisha Lanee\Application Data\IMVUClient\IMVUQualityAgent.exe [N/A]

c:\documents and settings\macaroni\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2010-2-10 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 cpuz134;cpuz134;c:\program files\CPUID\PC Wizard 2010\pcwiz_x32.sys [2010-07-09 20328]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1205000.07D\SYMDS.SYS [2010-10-21 340016]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1205000.07D\SYMEFA.SYS [2010-11-18 652336]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\BASHDefs\20110114.001\BHDrvx86.sys [2010-11-23 691248]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1205000.07D\Ironx86.SYS [2010-11-16 136312]
S2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe [2010-11-24 130000]
S2 NOBU;Norton Online Backup;c:\program files\Symantec\Norton Online Backup\NOBuAgent.exe SERVICE [x]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\Norton PC Checkup\Engine\2.0.6.11\SymcPCCULaunchSvc.exe [2010-12-16 120248]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\Norton PC Checkup\Engine\2.0.6.11\ccSvcHst.exe [2009-08-24 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-01-19 102448]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_18.1.0.37\Definitions\IPSDefs\20110120.001\IDSxpx86.sys [2010-11-09 341944]

.
Contents of the 'Scheduled Tasks' folder

2011-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3356846069-4073050213-3575645281-1006Core.job
- c:\documents and settings\Anisha Lanee\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 04:41]

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3356846069-4073050213-3575645281-1008Core.job
- c:\documents and settings\Sharon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 01:47]

2011-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3356846069-4073050213-3575645281-1010Core.job
- c:\documents and settings\macaroni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-05 01:10]

2011-01-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3356846069-4073050213-3575645281-1010UA.job
- c:\documents and settings\macaroni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-05 01:10]

2011-01-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3356846069-4073050213-3575645281-501Core.job
- c:\documents and settings\Guest\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-21 02:17]

2011-01-17 c:\windows\Tasks\Norton Security Scan for Anisha Lanee.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-08-28 15:06]

2011-01-17 c:\windows\Tasks\Norton Security Scan for Sharon.job
- c:\program files\Norton Security Scan\Engine\2.7.3.34\Nss.exe [2010-08-28 15:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*Yahoo!
Trusted Zone: qword.com
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-Csiyaxodemad - c:\windows\agoduzuvifukifur.dll
AddRemove-Virtual DJ - Atomix Productions - f:\progra~1\VIRTUA~1\UNWISE.EXE
AddRemove-Virtual DJ Home - Atomix Productions - f:\progra~1\VIRTUA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-01-24 17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\18.5.0.125\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\18.5.0.125\diMaster.dll\" /prefetch:1"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCCUJobMgr]
"ImagePath"="\"c:\program files\Norton PC Checkup\Engine\2.0.6.11\ccSvcHst.exe\" /s \"PCCUJobMgr\" /m \"c:\program files\Norton PC Checkup\Engine\2.0.6.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-01-24 17:13:44
ComboFix-quarantined-files.txt 2011-01-24 23:13

Pre-Run: 1,741,910,016 bytes free
Post-Run: 2,406,817,792 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 047B84749797EC2BEB5C7B4D9DDB7CA4
TheresMoreToMe is offline  
Old 01-24-2011, 05:10 PM   #15
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi

Please do the following:


Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

Quote:
cmd /c del /f/a/q "c:\documents and settings\Guest\Local Settings\Application Data\Mtexegaqabihebaj.bin"

NEXT


Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish
CatByte is offline  
Old 01-24-2011, 07:03 PM   #16
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 5592

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/24/2011 9:02:50 PM
mbam-log-2011-01-24 (21-02-50).txt

Scan type: Quick scan
Objects scanned: 191879
Time elapsed: 1 hour(s), 6 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\qword.com (Adware.QWO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\praf75372.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\WINDOWS\kbdphr.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\anisha lanee\favorites\qword search engine.url (Adware.QWO) -> Quarantined and deleted successfully.
c:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
TheresMoreToMe is offline  
Old 01-24-2011, 09:29 PM   #17
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


Esetscan




C:\Documents and Settings\Anisha Lanee\My Documents\Downloads\PDFReader_Setup.exe a variant of Win32/SweetIM.A application
C:\Documents and Settings\macaroni\Application Data\Sun\Java\Deployment\cache\6.0\55\77372737-30d307ba probably a variant of Win32/Agent.RPSVWU trojan
C:\Documents and Settings\macaroni\My Documents\Downloads\RegistryEasy.exe a variant of Win32/Adware.RegistryEasy application
C:\Documents and Settings\Sharon\My Documents\Downloads\SetupGamevance.exe a variant of Win32/Adware.Gamevance.AF application
TheresMoreToMe is offline  
Old 01-25-2011, 06:35 AM   #18
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



Hi

What is the source of the PDFReader_Setup file? If you trust it, I'm sure it's OK, the other two - Registry Easy and Setup GameVance, I would delete those.

The Java file, needs to go, we just need to empty your Java cache for that:

Please do the following:

Go to Start > Control Panel > Add/Remove programs

a list of installed programs will populate.

scroll down and locate the following program > select REMOVE

Java 2 Runtime Environment, SE v1.4.2_01



Now click Start > Control Panel.
Double-click the Java icon in the control panel.
The Java Control Panel appears.
Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

There are three options on this window to clear the cache.
  1. Delete Files
  2. View Applications
  3. View Applets



Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
Click OK on Temporary Files Settings window.


NEXT


Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Update to SP3, SP2 is no longer supported:

Download details: Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers


NEXT

Please post a fresh DDS Log and advise how your computer is running now and if there are any outstanding issues.
CatByte is offline  
Old 01-25-2011, 12:53 PM   #19
Registered Member
 
Join Date: Jan 2011
Posts: 25
OS: WinXp

My System


I'm not even sure what the PDF Reader is so I guess I'll just leave it.
When I goto the Delete Temp. files it says that I can also delete Trace and Log files but I didn't click that. Should I delete those as well?

Also, when updating the Adobe reader they have the option of WinXp Sp2 and Sp3 and I'm not sure which one I should choose.
I don't see that on my computer at all..
TheresMoreToMe is offline  
Old 01-25-2011, 04:54 PM   #20
TSF-Emeritus
 
Join Date: Jan 2009
Location: Canada
Posts: 8,956
OS: XP, Vista, Win7, Win8.1



are you referring to the java trace and log files? then yes,, you can delete them.

You need to update your service pack to the SP3 that I linked you to.

Microsoft is no longer supporting SP2. Then update the Adobe Reader for XP SP3
CatByte is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus on Teens laptop.
I recently took on the project of removing a virus from a friends laptop. I have never had issues with virus removal in the past, as I have a degree in Computer Science. Initially I thought I could do this alone, but I was wrong. I have never ran across a virus quite like this. First off, I can...
CarrieTarleton Inactive Malware Help Topics 10 01-30-2011 06:53 AM
Redirecting virus
My searches are being redirected to random sites usually asking me to purchase antivirus stuff. DDS (Ver_10-11-10.01) - NTFSx86 Run by Nadine1 at 19:42:51.35 on Sun 01/16/2011 Internet Explorer: 7.0.5730.13 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.160 AV: AVG...
queenofthehill Inactive Malware Help Topics 2 01-30-2011 06:53 AM
Picked up virus through svchost.exe file
Hi all, I picked up a virus that has removed my start menu from my pc. It started upon boot up and my antivirus (eset) picked up the virus and deleted this file with my permission. C:WINDOWS\system32\svchost\svchost.exe a variant of Win32/injector AMD trojan. I just hit delete without...
colbags Virus/Trojan/Spyware Help 1 01-25-2011 04:54 AM
Keylogger Virus?
Hi there! I've been having a strange issue lately. When playing video games, I sometimes lose control of my character for a short period of time, and it performs seemingly random actions. I thought I may have had a virus, so I installed the latest zonealarm extreme security suite,...
The_Cons Resolved HJT Threads 2 01-12-2011 02:49 AM
Random popups and site redirecting virus
Hello, I'm new to the forum and my problem is that I'm being redirected to unwanted sites like Tazinga or Binkx. I'm running Windows XP and my laptop is about 7 years old. Any help would be great! Here are the Hijack specc UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED,...
Hexamus Inactive Malware Help Topics 2 01-11-2011 07:15 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 12:11 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts