Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer keeps redirecting webpages in IE, firefox, and google chrome


  • Please log in to reply
12 replies to this topic

#1 tladie21

tladie21

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 29 March 2011 - 11:09 PM

For a week my computer has redirected everytime I log onto the computer. I used firefox as my browser, and tried to run malwarebytes, and macafee to see if it was a virus. They came up with nothing. I then tried to log onto this website (bleepingcomputer) and then my computer wouldn't allow me to get on the internet.

So I logged on in safe mode with networking. I tried to run malwarebytes and macafee again in safe mode, with no luck. Malwarebytes gave me an error message, it said it was missing a specific path, and macafee had to be turn on, but when I hit the scan button, it immediately turned back off. I can not give exact error messages because frustrated with everything I uninstalled all antivirus off, and downloaded the superAntispyware free edition to my computer.

I ran this software, also in safemode, and it first came up wit 225 threats. I had them removed, and the computer restarted automatically. I tried to see if that worked, but when I went to a website, it did the same thing.. redirect my page. I haven't been on my computer since Sunday night because I'm frustrated, about to throw the computer out of the window!!

I am running the antivirus software in safe mode once again now, its been going on for about 30 mins, doing a full scan. So far it has 6 threats. I really need to get this fixed, I am unable to finish my school work because I can't get the stupid computer to stop redirecting my pages!! Thanks in advance.

BC AdBot (Login to Remove)

 


#2 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:07 PM

Posted 30 March 2011 - 01:34 PM

Hi tladie21,

Can you post the log from MBAM and any logs from McAfee please.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#3 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 30 March 2011 - 06:42 PM

I have uninstalled both macafee and malwarebytes from my computer because I could not get them to run in safe mode. I was able to download and run superantispyware and here is the log from last night.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/29/2011 at 11:17 PM

Application Version : 4.50.1002

Core Rules Database Version : 6708
Trace Rules Database Version: 4520

Scan type : Complete Scan
Total Scan Time : 00:41:37

Memory items scanned : 282
Memory threats detected : 0
Registry items scanned : 7277
Registry threats detected : 0
File items scanned : 22113
File threats detected : 6

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@ad.wsod[2].txt
a.ads2.msads.net [ C:\Documents and Settings\Administrator\Application Data\Macromedia\Flash Player\#SharedObjects\FJYU2EXX ]

Trojan.Agent/Gen-IEFake
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX3\H\IEXPLORE.EXE
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX3\PROCS\IEXPLORE.EXE

Trojan.Agent/Gen-IExplorer[Fake]
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX3\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\RARSFX3\PROCS\EXPLORER.EXE

#4 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 30 March 2011 - 06:45 PM

Oh.. Note, I am still searching and everything in safe mode...

#5 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:07 PM

Posted 31 March 2011 - 06:42 AM

Hi tladie21,

Looks like SAS was able to remove a few things from your computer. Can you reboot in Normal Mode and get to the internet?
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#6 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 31 March 2011 - 10:12 PM

yes. I finally am able to get on the internet in normal mode. I just ran sas again. here is the log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/31/2011 at 09:54 PM

Application Version : 4.50.1002

Core Rules Database Version : 6726
Trace Rules Database Version: 4538

Scan type : Complete Scan
Total Scan Time : 01:05:30

Memory items scanned : 430
Memory threats detected : 0
Registry items scanned : 7676
Registry threats detected : 0
File items scanned : 22265
File threats detected : 56

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@content.yieldmanager[1].txt
C:\Documents and Settings\Owner\Cookies\owner@imrworldwide[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.wsod[2].txt
C:\Documents and Settings\Owner\Cookies\owner@advertise[1].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[1].txt
C:\Documents and Settings\Owner\Cookies\owner@pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adbrite[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\Documents and Settings\Owner\Cookies\owner@click.predirtwo[1].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
C:\Documents and Settings\Owner\Cookies\owner@invitemedia[2].txt
149.memecounter.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
a.ads2.msads.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
ads2.msads.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
b.ads2.msads.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
c2.zedo.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
cache.specificmedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
cdn.insights.gravity.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
cdn4.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
content.oddcast.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
core.insightexpressai.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
ia.media-imdb.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
interclick.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
m.media-yoomee.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
m1.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
m3.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
macromedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media.mtvnservices.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media.mtvu.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media.scanscout.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media.socialvibe.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media.y3.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media.y8.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media01.kyte.tv [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media1.break.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media2.y3.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
media3.y8.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
memecounter.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
msnbcmedia.msn.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
msntest.serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
multimedia.msn.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
objects.tremormedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
s0.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
secure-us.imrworldwide.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
serving-sys.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
sftrack.searchforce.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
speed.pointroll.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
static.2mdn.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
static.sexsearchcom.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
udn.specificclick.net [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
www.advancetracker.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
www.animaticmedia.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
www.pornhub.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]
www.soundclick.com [ C:\Documents and Settings\Owner\Application Data\Macromedia\Flash Player\#SharedObjects\JRZVMDYA ]

#7 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 31 March 2011 - 11:27 PM

I kept running sas until i got a clean log.. Unfortunately.. When I got on the interent and tried to go to a webpage.. it did the same thing.. re direct my page to something called mevio.. I tried in google search and yahoo... same results. Running sas again!! but I doubt this is working.

#8 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:07 PM

Posted 01 April 2011 - 07:03 AM

Hi tladie21,

Ok, Looks like SAS is cleaning off just Tracking Cookies now. That's a good thing. We're gonna update your Hosts file.

Please download HostsXpert 4.3
  • Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Restore MS Hosts File".
  • Click OK at the confirmation box.
  • Click "Make ReadOnly?".
  • Click the X to exit the program.
-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Then I'd also like to take a look for a possible rootkit on your machine.

Please download GMER from one of the following locations and save it to your desktop:

* Main Mirror
This version will download a randomly named file (Recommended)
* Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

* Disconnect from the Internet and close all running programs.
* Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
* Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
* Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
Posted Image

* GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
* If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
* Now click the Scan button. If you see a rootkit warning window, click OK.
* When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
* Click the Copy button and paste the results into your next reply.
* Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Post the log from GMER and let me know whether or not HostXpert was able to make changes to your Hosts file.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#9 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 02 April 2011 - 11:26 AM

Ok.. Tried downloading the hostxpert.. I think it did what it was supposed to do.. Not sure. Anyway, tried to download GMER in normal mode.. the virus knocked me off the internet, and terminated download. I tried twice, and then rebooted the computer in safe mode to try and download it. it said download complete and I went to follow the instructions from here ut I didn't see all the things described. First, whenever I hit run, it opens.. Half the screen is greyed out, but at the bottom i see it scanning something. Then it goes to malware/rootkit screen and had four items I tried to copy them but it wouldn't let me copy it. the only option i had was ok and cancel at the bottom. I clicked ok and everything went away, I tried to run it twice like this and the same thing happened. The third time I tried to open it, it gave me an error message. It said:

C:\documentsandsettings\administrator\desktop\hmwfz395.exe
Error: A device attached to the system is not functioning

I didn't disable sas.. Not sure if this has anything to do with it. but I went to that link and didn't find anything about disabling sas, and I opened sas and couldn't figure out how to turn it off.

#10 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 02 April 2011 - 11:53 AM

Ok so after I sent this reply i rebooted in normal mode and re ran the GMER. I noticed that I was able to see all of the buttons now (as they are larger in safe mode) :lol: and here is the log from this scan.

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-02 11:46:22
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-00CAA0 rev.16.06V16
Running: 8xnzi4p9.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgtoapow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xECA62620]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\dmio.sys entry point in ".rsrc" section [0xF77ECB14]

---- User code sections - GMER 1.0.15 ----

.text C:\program files\real\realplayer\update\realsched.exe[1040] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C42F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj03.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C42C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj03.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C42CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj03.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[324] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C42CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj03.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 86F32AF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 86F32AF1
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 86F32AF1
Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-00CAA0______________________16.06V16#4457572d414d4838313236373737_033_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd@imagepath \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main@aid 10131
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\modules@geyekrcmd.dll \systemroot\system32\geyekrbuyxurub.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\modules@geyekrlog.dat \systemroot\system32\geyekrtaaxvrib.dat
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\modules@geyekrwsp.dll \systemroot\system32\geyekrryqkrvko.dll
Reg HKLM\SYSTEM\ControlSet002\Services\geyekrivbfpmpd\modules@geyekr.dat \systemroot\system32\geyekrsvdllrlx.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd@imagepath \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main@aid 10131
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\modules@geyekrcmd.dll \systemroot\system32\geyekrbuyxurub.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\modules@geyekrlog.dat \systemroot\system32\geyekrtaaxvrib.dat
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\modules@geyekrwsp.dll \systemroot\system32\geyekrryqkrvko.dll
Reg HKLM\SYSTEM\ControlSet003\Services\geyekrivbfpmpd\modules@geyekr.dat \systemroot\system32\geyekrsvdllrlx.dat
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd@imagepath \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main@aid 10131
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\modules@geyekrcmd.dll \systemroot\system32\geyekrbuyxurub.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\modules@geyekrlog.dat \systemroot\system32\geyekrtaaxvrib.dat
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\modules@geyekrwsp.dll \systemroot\system32\geyekrryqkrvko.dll
Reg HKLM\SYSTEM\ControlSet004\Services\geyekrivbfpmpd\modules@geyekr.dat \systemroot\system32\geyekrsvdllrlx.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd@imagepath \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main@aid 10131
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\modules@geyekrcmd.dll \systemroot\system32\geyekrbuyxurub.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\modules@geyekrlog.dat \systemroot\system32\geyekrtaaxvrib.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\modules@geyekrwsp.dll \systemroot\system32\geyekrryqkrvko.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrivbfpmpd\modules@geyekr.dat \systemroot\system32\geyekrsvdllrlx.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd@imagepath \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main@aid 10131
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekridoqmnrs.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\modules@geyekrcmd.dll \systemroot\system32\geyekrbuyxurub.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\modules@geyekrlog.dat \systemroot\system32\geyekrtaaxvrib.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\modules@geyekrwsp.dll \systemroot\system32\geyekrryqkrvko.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrivbfpmpd\modules@geyekr.dat \systemroot\system32\geyekrsvdllrlx.dat

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\dmio.sys suspicious modification; TDL3 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#11 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 03 April 2011 - 11:30 PM

Trying to see if anyone was still helping me???:wacko: Its been a while since I did the last test... and I just wanted to know if there was any help for me.. :o

#12 techextreme

techextreme

    Bleepin Tech


  • Members
  • 2,125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, PA
  • Local time:09:07 PM

Posted 04 April 2011 - 10:07 AM

Hello tladie21,

I was away for the weekend and had to consult with a Moderator on your topic.

First, I need to give you this information:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you would like to go ahead with cleaning your computer, I think this one is best left to the experts, so I'm going to refer you to the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

Please read the Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help in cleaning your computer. Once complete, post a link back to this forum so the MRT team knows what we have tried.

Please be patient as the MRT team is quite busy sometimes and it may take a day or even a few for someone to pickup your log but someone will get back to you.

The choice is up to you.

Again, sorry for my delay in getting back to you but I wanted to be sure I gave you the correct information.
Techextreme

"Admire those who attempt great things, even though they fail."

-- Seneca

#13 tladie21

tladie21
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:08:07 PM

Posted 04 April 2011 - 12:44 PM

Thanks for the info.. man.. that is wild!! This is the 2nd computer in the past 3 years that I have had to replace.. the last one, I had paid anti virus.. Norton.. Im at work at the moment, but I will look at this again when I get home, and I will follow your instructions. I will go ahead with cleaning my computer, and I will follow your advice about the banking/financial info. I figured things may be compromised, so I never logged back into my bank acct. But I will still take precautions because I'm not sure how long this has been on my computer. Thanks. I will be back on after 7pm.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users