Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE cannot display the webpage http://www.google.com


  • This topic is locked This topic is locked
7 replies to this topic

#1 Joevera

Joevera

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 20 November 2009 - 01:21 AM

IE will not open Google. Analyzed with Malwarebytes' Anti-Malware and nothing found. Clean scans with Norton as well. System has denied write access to host files, which are full of hijacked domains. Even tried HostsXpert to edit host files and host file is marked "system file" that can NOT be manipulated. I sure would appreciate some assistance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:24 PM, on 11/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://toolbar.inbox.com/search/dispatcher...amp;tbid=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 74.125.45.100 4-open-davinci.com
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.getavplusnow.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 64.86.17.32 google.ae
O1 - Hosts: 64.86.17.32 google.as
O1 - Hosts: 64.86.17.32 google.at
O1 - Hosts: 64.86.17.32 google.az
O1 - Hosts: 64.86.17.32 google.ba
O1 - Hosts: 64.86.17.32 google.be
O1 - Hosts: 64.86.17.32 google.bg
O1 - Hosts: 64.86.17.32 google.bs
O1 - Hosts: 64.86.17.32 google.ca
O1 - Hosts: 64.86.17.32 google.cd
O1 - Hosts: 64.86.17.32 google.com.gh
O1 - Hosts: 64.86.17.32 google.com.hk
O1 - Hosts: 64.86.17.32 google.com.jm
O1 - Hosts: 64.86.17.32 google.com.mx
O1 - Hosts: 64.86.17.32 google.com.my
O1 - Hosts: 64.86.17.32 google.com.na
O1 - Hosts: 64.86.17.32 google.com.nf
O1 - Hosts: 64.86.17.32 google.com.ng
O1 - Hosts: 64.86.17.32 google.ch
O1 - Hosts: 64.86.17.32 google.com.np
O1 - Hosts: 64.86.17.32 google.com.pr
O1 - Hosts: 64.86.17.32 google.com.qa
O1 - Hosts: 64.86.17.32 google.com.sg
O1 - Hosts: 64.86.17.32 google.com.tj
O1 - Hosts: 64.86.17.32 google.com.tw
O1 - Hosts: 64.86.17.32 google.dj
O1 - Hosts: 64.86.17.32 google.de
O1 - Hosts: 64.86.17.32 google.dk
O1 - Hosts: 64.86.17.32 google.dm
O1 - Hosts: 64.86.17.32 google.ee
O1 - Hosts: 64.86.17.32 google.fi
O1 - Hosts: 64.86.17.32 google.fm
O1 - Hosts: 64.86.17.32 google.fr
O1 - Hosts: 64.86.17.32 google.ge
O1 - Hosts: 64.86.17.32 google.gg
O1 - Hosts: 64.86.17.32 google.gm
O1 - Hosts: 64.86.17.32 google.gr
O1 - Hosts: 64.86.17.32 google.ht
O1 - Hosts: 64.86.17.32 google.ie
O1 - Hosts: 64.86.17.32 google.im
O1 - Hosts: 64.86.17.32 google.in
O1 - Hosts: 64.86.17.32 google.it
O1 - Hosts: 64.86.17.32 google.ki
O1 - Hosts: 64.86.17.32 google.la
O1 - Hosts: 64.86.17.32 google.li
O1 - Hosts: 64.86.17.32 google.lv
O1 - Hosts: 64.86.17.32 google.ma
O1 - Hosts: 64.86.17.32 google.ms
O1 - Hosts: 64.86.17.32 google.mu
O1 - Hosts: 64.86.17.32 google.mw
O1 - Hosts: 64.86.17.32 google.nl
O1 - Hosts: 64.86.17.32 google.no
O1 - Hosts: 64.86.17.32 google.nr
O1 - Hosts: 64.86.17.32 google.nu
O1 - Hosts: 64.86.17.32 google.pl
O1 - Hosts: 64.86.17.32 google.pn
O1 - Hosts: 64.86.17.32 google.pt
O1 - Hosts: 64.86.17.32 google.ro
O1 - Hosts: 64.86.17.32 google.ru
O1 - Hosts: 64.86.17.32 google.rw
O1 - Hosts: 64.86.17.32 google.sc
O1 - Hosts: 64.86.17.32 google.se
O1 - Hosts: 64.86.17.32 google.sh
O1 - Hosts: 64.86.17.32 google.si
O1 - Hosts: 64.86.17.32 google.sm
O1 - Hosts: 64.86.17.32 google.sn
O1 - Hosts: 64.86.17.32 google.st
O1 - Hosts: 64.86.17.32 google.tl
O1 - Hosts: 64.86.17.32 google.tm
O1 - Hosts: 64.86.17.32 google.tt
O1 - Hosts: 64.86.17.32 google.us
O1 - Hosts: 64.86.17.32 google.vu
O1 - Hosts: 64.86.17.32 google.ws
O1 - Hosts: 64.86.17.32 google.co.ck
O1 - Hosts: 64.86.17.32 google.co.id
O1 - Hosts: 64.86.17.32 google.co.il
O1 - Hosts: 64.86.17.32 google.co.in
O1 - Hosts: 64.86.17.32 google.co.jp
O1 - Hosts: 64.86.17.32 google.co.kr
O1 - Hosts: 64.86.17.32 google.co.ls
O1 - Hosts: 64.86.17.32 google.co.ma
O1 - Hosts: 64.86.17.32 google.co.nz
O1 - Hosts: 64.86.17.32 google.co.tz
O1 - Hosts: 64.86.17.32 google.co.ug
O1 - Hosts: 64.86.17.32 google.co.uk
O1 - Hosts: 64.86.17.32 google.co.za
O1 - Hosts: 64.86.17.32 google.co.zm
O1 - Hosts: 64.86.17.32 google.com
O1 - Hosts: 64.86.17.32 google.com.af
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\IPSBHO.DLL
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} (SonyOnlineInstallerX) - http://www-cdn.freerealms.com/gamedata/plu...ller.cab?v=1033
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe

--
End of file - 10635 bytes

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:58 AM

Posted 20 November 2009 - 08:06 AM

Hi Joevera,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

Please perform the steps fully and in the order they are written and proceed to the next step only if the previous step is successfully completed.
  • Download RootRepeal.exe from one of these download locations and save it to your desktop:
    http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
    http://ad13.geekstogo.com/RootRepeal.exe
    http://rootrepeal.psikotick.com/RootRepeal.exe
    • Open Posted Image on your desktop.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • Check all seven boxes: Posted Image
    • Click Ok.
    • Check the box for your main system drive (Usually C:), and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
  • Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Posted Image


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.


#3 Joevera

Joevera
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 22 November 2009 - 11:02 PM

Hello farbar and thank you for the assistance. Just to clarify, after running ComboFix, I turned on Internet Security and diabled idle time scans. If Live Update needs to be disabled during our fix, please advise. I followed the directions listed and the reports are below:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/22 21:27
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xAA254000 Size: 753664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6AD3000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMDS.SYS
Image Path: SYMDS.SYS
Address: 0xB9DDD000 Size: 352256 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9DB1000 Size: 180224 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Admin\Local Settings\Apps\2.0\YC66EHG0.XBL\ADC4PD7C.610\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Admin\Local Settings\Apps\2.0\YC66EHG0.XBL\ADC4PD7C.610\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Admin\Local Settings\Apps\2.0\YC66EHG0.XBL\ADC4PD7C.610\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Admin\Local Settings\Apps\2.0\YC66EHG0.XBL\ADC4PD7C.610\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x88497240

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x88497320

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x88499268

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8842f050

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8862c148

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa7be210

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8846d2d0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x884751c0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8844f108

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8842f130

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa7be490

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa7be9f0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x884700f0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x88499088

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x88497080

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x88497160

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a6a8c38

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x884332c0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8846d1f0

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa7be7a0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x884702d0

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x88499008

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8842f008

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x884701e0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x884752b0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x884980b8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x88498008

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x88433110

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8842f210

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xaa7bec40

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8846d110

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x88498198

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8847b038

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x88498278

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x88433200

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x88499178

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8786b058

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x878dc300

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x878dc240

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x89bbde50

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x8849de50

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8a68da18

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89bdaf80

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x89bdaeb0

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8846b148

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x8867e680

==EOF==


ComboFix 09-11-22.04 - Admin 11/22/2009 21:44.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2030.1333 [GMT -6:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-23 00:45 . 2009-09-23 02:00 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\ECMSVR32.DLL
2009-11-23 00:45 . 2009-09-19 18:23 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\NAVENG.SYS
2009-11-23 00:45 . 2009-09-19 18:23 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\EECTRL.SYS
2009-11-23 00:45 . 2009-09-19 18:23 2747952 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\CCERASER.DLL
2009-11-23 00:45 . 2009-09-19 18:23 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\NAVENG32.DLL
2009-11-23 00:45 . 2009-09-19 18:23 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\NAVEX32A.DLL
2009-11-23 00:45 . 2009-09-19 18:23 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\NAVEX15.SYS
2009-11-23 00:45 . 2009-09-19 18:23 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20091122.020\ERASER.SYS
2009-11-20 02:17 . 2009-11-20 02:17 -------- d-----w- c:\program files\Trend Micro
2009-11-12 20:55 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSvix86.sys
2009-11-12 20:55 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSXpx86.sys
2009-11-12 20:55 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\Scxpx86.dll
2009-11-12 20:55 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSxpx86.dll
2009-11-12 20:55 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSviA64.sys
2009-11-04 23:50 . 2009-11-04 23:50 201616 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091104.001\BHRules.dll
2009-11-04 23:50 . 2009-11-04 23:50 663088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx64.sys
2009-11-04 23:50 . 2009-11-04 23:50 524848 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx86.sys
2009-11-04 23:50 . 2009-11-04 23:50 1413520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091104.001\BHEngine.dll
2009-11-04 23:50 . 2009-11-04 23:50 610704 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091104.001\bbRGen.dll
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 343088 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091028.004\IDSvix86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 329592 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091028.004\IDSXpx86.sys
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 811896 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091028.004\Scxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 488312 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091028.004\IDSxpx86.dll
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-10-28 22:37 . 2009-10-28 22:37 466992 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091028.004\IDSviA64.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 03:25 . 2009-09-26 19:13 -------- d-----w- c:\program files\Common Files\Uninstall
2009-10-29 02:31 . 2009-09-19 17:22 784752 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\coFFPlgn\components\coFFPlgn.dll
2009-10-06 21:15 . 2009-10-06 21:15 -------- d-----w- c:\program files\Sony Online Entertainment
2009-09-27 16:40 . 2009-09-12 17:15 -------- d-sh--w- c:\documents and settings\All Users\Application Data\cd31e93
2009-08-29 07:36 . 2006-03-15 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-03-15 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-03-15 12:00 17408 ------w- c:\windows\system32\corpol.dll
2009-08-29 00:42 . 2009-09-10 02:12 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2008-12-25 15:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 22:13 . 2009-09-19 17:22 900464 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\OCS\hsplayer.dll
2009-08-26 08:00 . 2006-03-15 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Google Update"="c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-19 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-11-15 151552]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Admin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1101000.013\SymDS.sys [11/9/2009 9:48 PM 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1101000.013\SymEFA.sys [11/9/2009 9:48 PM 171056]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20091104.001\BHDrvx86.sys [11/4/2009 5:50 PM 524848]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1101000.013\cchpx86.sys [11/9/2009 9:48 PM 501888]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1101000.013\Ironx86.sys [11/9/2009 9:48 PM 114736]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [11/9/2009 9:48 PM 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/20/2009 9:08 AM 102448]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20091111.001\IDSXpx86.sys [11/12/2009 2:55 PM 329592]
.
Contents of the 'Scheduled Tasks' folder

2009-11-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2147341981-725345543-1003Core.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-19 02:39]

2009-11-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1214440339-2147341981-725345543-1003UA.job
- c:\documents and settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-19 02:39]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - sttray.exe
AddRemove-Toddler - D:\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 21:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\17.1.0.19\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-22 21:49
ComboFix-quarantined-files.txt 2009-11-23 03:49

Pre-Run: 303,884,480,512 bytes free
Post-Run: 304,262,397,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 5D7C39E3A5FE38FFA9B8740FCF118775

Thank you again and I await your reply.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:58 AM

Posted 23 November 2009 - 12:35 PM

Well done. :(

Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:


@echo off
for %%g in (C:\WINDOWS\system32\drivers\etc\hosts
) do (
swxcacls %%g  >log.txt
swxcacls %%g /RESET /Q
attrib -s -h -r %%g
del /a /f /q %%g
dir /a %%g >>log.txt)
Start Log.txt
del %0
  • Go to the File menu at the top of the Notepad and select Save as.
  • Select Save in: desktop
  • Fill in File name: dirlook.bat
  • Save as type: All file types (*.*)
  • Click save.
  • Close the Notepad.
  • Locate and double-click dirlook.bat on the desktop.
  • A notepad opens, copy and paste the content (log.txt) to your reply.


#5 Joevera

Joevera
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 24 November 2009 - 07:59 PM

Per your request:

SteelWerX Extended Configuration Access Control Lists
Written by Bobbi Flekman 2006 ©

File/Folder: C:\WINDOWS\system32\drivers\etc\hosts does not exist

Volume in drive C has no label.
Volume Serial Number is 0816-1075

Directory of C:\WINDOWS\system32\drivers\etc

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:58 AM

Posted 24 November 2009 - 08:30 PM

  • Please open HostsXpert, it will notify you that the hosts file doesn't exist and if you want to create one. Click OK.

  • Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  • I strongly recommend you to update your Adobe Acrobat.
Do you have any question before we close the topic?

#7 Joevera

Joevera
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:58 AM

Posted 25 November 2009 - 08:36 PM

farbar,

I sincerely appreciate your expertise and assistance. It appears things are in working order once again. Thank you.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,690 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:10:58 AM

Posted 26 November 2009 - 12:53 PM

You are most welcome Joevera. :(

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users