Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91681 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Error404.com popup, virus/hijacker?


  • This topic is locked This topic is locked
4 replies to this topic

#1 hopestobe

hopestobe

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 11 November 2009 - 06:18 PM

Every few minutes on firefox, a new tab automatically opens and goes to error404.com, a site that advertises some computer services. Before this, I had some popups that tried to install SPOOLS.EXE although windows blocked the installation each time. I don't know if this has anything to do with it. Furthermore, since then, firefox keeps lagging, freezing, and crashing for no reason. I have run malwarebytes, adaware, and spybot but nothing seems to solve the problem. I am not very computer literate so any help would be much appreciated, thanks. DDS LOG: DDS (Ver_09-06-26.01) - NTFSx86 Run by chtran at 16:04:14.31 on Wed 11/11/2009 Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_05 Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2038.613 [GMT -8:00] AV: Norton 360 *On-access scanning disabled* (Outdated) {A5F1BC7C-EA33-4247-961C-0217208396C4} SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9} SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22} SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46} SP: Spy Sweeper *enabled* (Updated) {68A41C74-A1E9-48F8-B2E5-D8232211AB6D} SP: Norton 360 *disabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A} FW: Norton 360 *enabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3} ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\Windows\System32\LEXBCES.EXE C:\Windows\System32\spoolsv.exe C:\Windows\System32\LEXPPS.EXE C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe C:\Program Files\Sony\Network Utility\NSUService.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\PSIService.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Sony\VAIO Event Service\VESMgr.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\igfxext.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\system32\WUDFHost.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe C:\Windows\system32\wbem\unsecapp.exe C:\Windows\System32\alg.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\taskeng.exe C:\Program Files\Sony\VAIO Power Management\SPMgr.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe C:\Program Files\Apoint\Apoint.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Sony\Network Utility\LANUtil.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Apoint\ApMsgFwd.exe C:\Program Files\Apoint\Apntex.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\chtran\Downloads\dds.scr C:\Windows\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uSearch Page = hxxp://www.google.com uStart Page = hxxp://www.yahoo.com/ uWindow Title = By DSLExtreme uSearch Bar = hxxp://www.google.com/ie uDefault_Search_URL = hxxp://www.google.com/ie mDefault_Page_URL = hxxp://www.sony.com/vaiopeople mWindow Title = By DSLExtreme uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File uRun: [NSUFloatingUI] "c:\program files\sony\network utility\LANUtil.exe" uRun: [Google Update] "c:\users\chtran\appdata\local\google\update\GoogleUpdate.exe" /c uRun: [Microshit] c:\recycle\x-5-4-27-2345678318-4567890223-4234567884-2341\Bcuzz.exe uRun: [Defence] "c:\programdata\defence\smss.exe" -SystemDefence uRun: [Lsass Service] c:\users\chtran\appdata\roaming\microsoft\windows\lsass.exe uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe uRun: [Ixikegizutazetif] rundll32.exe "c:\users\chtran\appdata\local\d1bylb.dll",Startup mRun: [Apoint] c:\program files\apoint\Apoint.exe mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [Skytel] Skytel.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe" mRun: [V0250Cfg.exe] V0250Cfg.exe /d:3 mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\users\chtran\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000 IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll Trusted Zone: antimalwareguard.com TCP: {3D043B09-6D04-416F-98FD-37C14266FA88} = 66.51.205.100,66.51.206.100 Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll Notify: igfxcui - igfxdev.dll Notify: VESWinlogon - VESWinlogon.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\chtran\appdata\roaming\mozilla\firefox\profiles\22dj80i1.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/ FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?query= FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\picasa3\npPicasa3.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPFxViewer.dll FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll FF - plugin: c:\users\chtran\appdata\local\google\update\1.2.183.13\npGoogleOneClick8.dll FF - plugin: c:\users\chtran\appdata\roaming\mozilla\firefox\profiles\22dj80i1.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll FF - plugin: c:\users\chtran\appdata\roaming\mozilla\plugins\npgoogletalk.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-17 64288] R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080407.002\IDSvix86.sys [2008-4-8 261680] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1179232] R2 NSUService;NSUService;c:\program files\sony\network utility\NSUService.exe [2007-11-15 204800] R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032] R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-11 1153368] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-2-10 109616] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-31 38224] R3 SFEP;Sony Firmware Extension Parser;c:\windows\system32\drivers\SFEP.sys [2007-10-30 9344] R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2007-1-9 38200] R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-10-30 812544] R3 V0250Dev;Live! Cam Notebook Pro;c:\windows\system32\drivers\V0250Dev.sys [2008-2-9 163840] S3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\sony\vaio media integrated server\UCLS.exe [2007-11-15 745472] S3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\sony\vaio media integrated server\platform\SV_Httpd.exe [2007-11-15 397312] S3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\sony\vaio media integrated server\platform\UPnPFramework.exe [2007-11-15 1089536] S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\sony\vcm intelligent analyzing manager\VcmIAlzMgr.exe [2007-10-31 292128] S3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\common files\sony shared\vcmxml\VcmXmlIfHelper.exe [2007-10-31 79136] =============== Created Last 30 ================ 2009-11-10 22:47 351,232 a------- c:\windows\system32\WSDApi.dll 2009-11-10 22:36 2,035,712 a------- c:\windows\system32\win32k.sys 2009-11-09 23:18 <DIR> --d----- c:\programdata\Defence 2009-11-09 23:18 <DIR> --d----- c:\progra~2\Defence 2009-11-06 22:44 <DIR> --d----- c:\program files\iPod 2009-11-06 22:44 <DIR> --d----- c:\program files\iTunes 2009-11-04 19:33 <DIR> --dsh--- c:\programdata\8026cdd 2009-11-04 19:33 <DIR> --dsh--- c:\progra~2\8026cdd 2009-11-04 19:29 <DIR> --d----- c:\windows\system32\TVUAx 2009-10-30 21:30 93,360 a------- c:\windows\system32\drivers\SBREDrv.sys 2009-10-27 14:59 310,784 a------- c:\windows\system32\unregmp2.exe 2009-10-27 14:59 8,147,456 a------- c:\windows\system32\wmploc.DLL 2009-10-22 20:52 <DIR> --dshr-- C:\Recycle 2009-10-20 16:01 2,421,760 a------- c:\windows\system32\wucltux.dll 2009-10-20 16:01 87,552 a------- c:\windows\system32\wudriver.dll 2009-10-20 16:01 171,608 a------- c:\windows\system32\wuwebv.dll 2009-10-20 16:01 33,792 a------- c:\windows\system32\wuapp.exe 2009-10-17 12:59 64,288 a------- c:\windows\system32\drivers\Lbd.sys 2009-10-17 12:57 <DIR> -cd-h--- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-10-17 12:57 <DIR> -cd-h--- c:\progra~2\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6} 2009-10-13 19:19 428,544 a------- c:\windows\system32\EncDec.dll 2009-10-13 19:19 217,088 a------- c:\windows\system32\psisrndr.ax 2009-10-13 19:19 293,376 a------- c:\windows\system32\psisdecd.dll 2009-10-13 19:19 177,664 a------- c:\windows\system32\mpg2splt.ax 2009-10-13 19:19 80,896 a------- c:\windows\system32\MSNP.ax 2009-10-13 19:19 61,440 a------- c:\windows\system32\msasn1.dll 2009-10-13 19:19 144,896 a------- c:\windows\system32\drivers\srv2.sys 2009-10-13 19:19 604,672 a------- c:\windows\system32\WMSPDMOD.DLL ==================== Find3M ==================== 2009-11-11 15:29 4,246 a------- c:\users\chtran\appdata\roaming\wklnhst.dat 2009-11-02 20:42 195,456 -------- c:\windows\system32\MpSigStub.exe 2009-10-30 21:29 15,880 a------- c:\windows\system32\lsdelete.exe 2009-10-07 09:09 85,888 a------- c:\users\chtran\appdata\roaming\GDIPFONTCACHEV1.DAT 2009-09-11 21:41 143,360 a------- c:\windows\inf\infstrng.dat 2009-09-11 21:41 86,016 a------- c:\windows\inf\infstor.dat 2009-09-11 21:41 51,200 a------- c:\windows\inf\infpub.dat 2009-09-10 09:30 213,504 a------- c:\windows\system32\msv1_0.dll 2009-08-28 18:42 2,065,696 a------- c:\windows\system32\usbaaplrc.dll 2009-08-28 04:39 28,672 a------- c:\windows\system32\Apphlpdm.dll 2009-08-28 04:39 173,056 a------- c:\windows\apppatch\AcXtrnal.dll 2009-08-28 04:38 2,153,984 a------- c:\windows\apppatch\AcGenral.dll 2009-08-28 04:38 541,696 a------- c:\windows\apppatch\AcLayers.dll 2009-08-28 04:38 459,776 a------- c:\windows\apppatch\AcSpecfc.dll 2009-08-28 02:15 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll 2009-08-27 05:32 833,024 a------- c:\windows\system32\wininet.dll 2009-08-27 05:29 78,336 a------- c:\windows\system32\ieencode.dll 2009-08-27 02:58 26,624 a------- c:\windows\system32\ieUnatt.exe 2009-08-17 22:33 1,193,832 a------- c:\windows\system32\FM20.DLL 2009-08-14 08:29 104,960 a------- c:\windows\system32\netiohlp.dll 2009-08-14 08:29 17,920 a------- c:\windows\system32\netevent.dll 2009-08-14 06:16 17,920 a------- c:\windows\system32\ROUTE.EXE 2009-08-14 06:16 9,728 a------- c:\windows\system32\TCPSVCS.EXE 2009-08-14 06:16 11,264 a------- c:\windows\system32\MRINFO.EXE 2009-08-14 06:16 27,136 a------- c:\windows\system32\NETSTAT.EXE 2009-08-14 06:16 19,968 a------- c:\windows\system32\ARP.EXE 2009-08-14 06:16 10,240 a------- c:\windows\system32\finger.exe 2009-08-14 06:16 8,704 a------- c:\windows\system32\HOSTNAME.EXE 2008-09-18 08:09 174 a--sh--- c:\program files\desktop.ini 2008-09-18 01:37 665,600 a------- c:\windows\inf\drvindex.dat 2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 04:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 04:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 01:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 01:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2008-08-02 17:42 88 ---shr-- c:\windows\system32\F911BFEE74.sys 2008-08-02 17:43 3,452 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 16:05:51.05 =============== RootRepeal LOG OOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/11/11 16:08 Program Version: Version 1.3.5.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: dump_iaStor.sys Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys Address: 0x83310000 Size: 778240 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xAED6F000 Size: 49152 File Visible: No Signed: - Status: - Processes ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1252 Status: Locked to the Windows API! SSDT ------------------- #: 013 Function Name: NtAlertResumeThread Status: Hooked by "<unknown>" at address 0x87956bf8 #: 014 Function Name: NtAlertThread Status: Hooked by "<unknown>" at address 0x87956c78 #: 018 Function Name: NtAllocateVirtualMemory Status: Hooked by "<unknown>" at address 0x87955778 #: 054 Function Name: NtConnectPort Status: Hooked by "<unknown>" at address 0x878c1a50 #: 064 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0x855f6218 #: 067 Function Name: NtCreateMutant Status: Hooked by "<unknown>" at address 0x87956670 #: 072 Function Name: NtCreateProcess Status: Hooked by "<unknown>" at address 0x855fdc38 #: 073 Function Name: NtCreateProcessEx Status: Hooked by "<unknown>" at address 0x855fdbc0 #: 078 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0x87955908 #: 123 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0x855f61a0 #: 126 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0x855fdcb0 #: 147 Function Name: NtFreeVirtualMemory Status: Hooked by "<unknown>" at address 0x8794c668 #: 156 Function Name: NtImpersonateAnonymousToken Status: Hooked by "<unknown>" at address 0x87956740 #: 158 Function Name: NtImpersonateThread Status: Hooked by "<unknown>" at address 0x87956800 #: 177 Function Name: NtMapViewOfSection Status: Hooked by "<unknown>" at address 0x87955388 #: 184 Function Name: NtOpenEvent Status: Hooked by "<unknown>" at address 0x879565b0 #: 195 Function Name: NtOpenProcessToken Status: Hooked by "<unknown>" at address 0x87955848 #: 202 Function Name: NtOpenThreadToken Status: Hooked by "<unknown>" at address 0x87955160 #: 255 Function Name: NtQueueApcThread Status: Hooked by "<unknown>" at address 0x855fd788 #: 261 Function Name: NtReadVirtualMemory Status: Hooked by "<unknown>" at address 0x855fd620 #: 267 Function Name: NtRenameKey Status: Hooked by "<unknown>" at address 0x855fde18 #: 282 Function Name: NtResumeThread Status: Hooked by "<unknown>" at address 0x878fcac0 #: 289 Function Name: NtSetContextThread Status: Hooked by "<unknown>" at address 0x87956fd0 #: 293 Function Name: NtSetDefaultUILanguage Status: Hooked by "<unknown>" at address 0x855fd878 #: 305 Function Name: NtSetInformationProcess Status: Hooked by "<unknown>" at address 0x87955230 #: 306 Function Name: NtSetInformationThread Status: Hooked by "<unknown>" at address 0x87956f00 #: 307 Function Name: NtSetInformationToken Status: Hooked by "<unknown>" at address 0x855fdda0 #: 309 Function Name: NtSetIoCompletion Status: Hooked by "<unknown>" at address 0x855fdad0 #: 310 Function Name: NtSetLdtEntries Status: Hooked by "<unknown>" at address 0x855fd8f0 #: 328 Function Name: NtStartProfile Status: Hooked by "<unknown>" at address 0x855fdd28 #: 330 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x879564f0 #: 331 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x87956d80 #: 334 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x878fc418 #: 335 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x87956e40 #: 338 Function Name: NtThawTransactions Status: Hooked by "<unknown>" at address 0x855fdb48 #: 339 Function Name: NtTraceEvent Status: Hooked by "<unknown>" at address 0x855fd968 #: 348 Function Name: NtUnmapViewOfSection Status: Hooked by "<unknown>" at address 0x8794c5e8 #: 358 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0x8794c738 #: 362 Function Name: NtReleaseKeyedEvent Status: Hooked by "<unknown>" at address 0x855fd698 #: 389 Function Name: NtAcquireCMFViewOwnership Status: Hooked by "<unknown>" at address 0x855fd5a8 ==EOF==

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 14 November 2009 - 04:42 PM

Posted Image


DO NOT use any TOOLS such as Combofix, Vundofix, or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.



Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.



Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

Next:


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs

  • Double click on ComboFix.exe & follow the prompts.

    Note: Combofix will run without the Recovery Console installed.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 hopestobe

hopestobe

    New Member

  • New Member
  • Pip
  • 2 posts

Posted 15 November 2009 - 02:15 PM

Hi, Thank you for your response. I ran malwarebytes full scan a few days ago and caught a few more things. I have not seen the 404 error tab open by itself in 3 days and firefox also has not been crashing randomly. Do you think that it is gone or should I still follow the instructions above? Thanks

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 15 November 2009 - 03:50 PM

Hi,
Thank you for your response. I ran malwarebytes full scan a few days ago and caught a few more things. I have not seen the 404 error tab open by itself in 3 days and firefox also has not been crashing randomly. Do you think that it is gone or should I still follow the instructions above? Thanks

It's your call but it won't hurt to have a look.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,170 posts

Posted 20 November 2009 - 03:56 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users