View Full Version : Need help desperately
usmc4295
2009-10-23, 23:53
I read that I should start a post if I cannot run HJT,well not only can I not run it everytime I even try to go to the website mozilla crashes,if I do a google search for HJT SB S&D kypersky or any other tool that I have used int he past it shuts down I cannot DL anything or start any of the aforementioned programs, even if I click a link on the forums here with any of those mentioned my internet browser shuts down
Hello
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
See if you can download this tool, if not you may have to go to a known clean computer, download it, burn it to disk ( not a usb drive ) and transfer it to the infected one, run it and post the log please.
Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)
Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
usmc4295
2009-10-24, 21:27
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 13:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF74AF000 Size: 57344 File Visible: - Signed: -
Status: -
Name: 32ba6ee53eb113fe6f9cfec56b71c99f.sys
Image Path: 32ba6ee53eb113fe6f9cfec56b71c99f.sys
Address: 0xF74BF000 Size: 57344 File Visible: No Signed: -
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7440000 Size: 187776 File Visible: - Signed: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF6FEE000 Size: 138496 File Visible: - Signed: -
Status: -
Name: AN983.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AN983.sys
Address: 0xF756F000 Size: 36224 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF73F8000 Size: 96512 File Visible: - Signed: -
Status: -
Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF75FF000 Size: 45056 File Visible: - Signed: -
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF789F000 Size: 12288 File Visible: - Signed: -
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF762F000 Size: 63744 File Visible: - Signed: -
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF754F000 Size: 62976 File Visible: - Signed: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF74FF000 Size: 53248 File Visible: - Signed: -
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xF74EF000 Size: 36352 File Visible: - Signed: -
Status: -
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF6F13000 Size: 98304 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79AD000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF7927000 Size: 12288 File Visible: - Signed: -
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B0E000 Size: 4096 File Visible: - Signed: -
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF73D8000 Size: 129792 File Visible: - Signed: -
Status: -
Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A1000 Size: 7936 File Visible: - Signed: -
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7410000 Size: 125056 File Visible: - Signed: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF791F000 Size: 9984 File Visible: - Signed: -
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -
Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF757F000 Size: 52480 File Visible: - Signed: -
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF753F000 Size: 42112 File Visible: - Signed: -
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF7010000 Size: 152832 File Visible: - Signed: -
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF70B7000 Size: 75264 File Visible: - Signed: -
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF748F000 Size: 37248 File Visible: - Signed: -
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7777000 Size: 24576 File Visible: - Signed: -
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF798F000 Size: 8192 File Visible: - Signed: -
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF7274000 Size: 143360 File Visible: - Signed: -
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF73AF000 Size: 92928 File Visible: - Signed: -
Status: -
Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF750F000 Size: 57472 File Visible: - Signed: -
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF776F000 Size: 23040 File Visible: - Signed: -
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF74CF000 Size: 42368 File Visible: - Signed: -
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF6F53000 Size: 455296 File Visible: - Signed: -
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77FF000 Size: 19072 File Visible: - Signed: -
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF75BF000 Size: 35072 File Visible: - Signed: -
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF793F000 Size: 15488 File Visible: - Signed: -
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xF72DB000 Size: 105344 File Visible: - Signed: -
Status: -
Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF72F5000 Size: 182656 File Visible: - Signed: -
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF792B000 Size: 10112 File Visible: - Signed: -
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7235000 Size: 91520 File Visible: - Signed: -
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF75EF000 Size: 40576 File Visible: - Signed: -
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF760F000 Size: 34688 File Visible: - Signed: -
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF7036000 Size: 162816 File Visible: - Signed: -
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF780F000 Size: 30848 File Visible: - Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7322000 Size: 574976 File Visible: - Signed: -
Status: -
Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7B66000 Size: 2944 File Visible: - Signed: -
Status: -
Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF749F000 Size: 61696 File Visible: - Signed: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xF742F000 Size: 68224 File Visible: - Signed: -
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A57000 Size: 3328 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7717000 Size: 28672 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF7224000 Size: 69120 File Visible: - Signed: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77A7000 Size: 17792 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7973000 Size: 8832 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF758F000 Size: 51328 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF759F000 Size: 41472 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF75AF000 Size: 48384 File Visible: - Signed: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF77B7000 Size: 16512 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF6FC3000 Size: 175744 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79A5000 Size: 4224 File Visible: - Signed: -
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF755F000 Size: 57600 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF68B9000 Size: 49152 File Visible: No Signed: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xF73C6000 Size: 73472 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF6929000 Size: 333952 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7997000 Size: 4352 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF705E000 Size: 361600 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7797000 Size: 20480 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF75CF000 Size: 40704 File Visible: - Signed: -
Status: -
Name: TSDDD.dll
Image Path: C:\WINDOWS\System32\TSDDD.dll
Address: 0xBF9D5000 Size: 12288 File Visible: - Signed: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF7126000 Size: 384768 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF799B000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7757000 Size: 30208 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF75DF000 Size: 59520 File Visible: - Signed: -
Status: -
Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF774F000 Size: 17152 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7297000 Size: 147456 File Visible: - Signed: -
Status: -
Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF782F000 Size: 26368 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77EF000 Size: 20992 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xF70EA000 Size: 81920 File Visible: - Signed: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF74DF000 Size: 52352 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF784F000 Size: 20480 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7991000 Size: 8192 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: -
Status: -
usmc4295
2009-10-24, 21:31
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 13:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Processes
-------------------
Path: System
PID: 4 Status: -
Path: C:\Program Files\Internet Explorer\iexplore.exe
PID: 272 Status: -
Path: C:\WINDOWS\system32\smss.exe
PID: 356 Status: -
Path: C:\WINDOWS\system32\csrss.exe
PID: 412 Status: -
Path: C:\WINDOWS\system32\winlogon.exe
PID: 436 Status: -
Path: C:\WINDOWS\system32\services.exe
PID: 480 Status: -
Path: C:\WINDOWS\system32\lsass.exe
PID: 492 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 516 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 644 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 660 Status: -
Path: C:\WINDOWS\system32\winlogon.exe
PID: 668 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 748 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 828 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 864 Status: -
Path: C:\WINDOWS\sv2.exe
PID: 976 Status: -
Path: C:\WINDOWS\system32\svchost.exe
PID: 988 Status: -
Path: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PID: 1008 Status: -
Path: C:\WINDOWS\explorer.exe
PID: 1268 Status: -
Path: C:\WINDOWS\system32\ctfmon.exe
PID: 1676 Status: -
Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 1724 Status: -
Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 1932 Status: -
Path: C:\WINDOWS\system32\csrss.exe
PID: 1956 Status: -
Path: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PID: 1984 Status: -
Path: C:\Documents and Settings\Owner\Local Settings\Temp\RootRepeal\RootRepeal.exe
PID: 2888 Status: -
Path: C:\WINDOWS\system32\lsm32.sys
PID: 3280 Status: -
Path: C:\Program Files\WinRAR\WinRAR.exe
PID: 3288 Status: -
Path: C:\WINDOWS\explorer.exe
PID: 3600 Status: -
SSDT:
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 13:17
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
SSDT
-------------------
#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked
#: 001 Function Name: NtAccessCheck
Status: Not hooked
#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked
#: 003 Function Name: NtAccessCheckByType
Status: Not hooked
#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked
#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked
#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked
#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked
#: 008 Function Name: NtAddAtom
Status: Not hooked
#: 009 Function Name: NtAddBootEntry
Status: Not hooked
#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked
#: 012 Function Name: NtAlertResumeThread
Status: Not hooked
#: 013 Function Name: NtAlertThread
Status: Not hooked
#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked
#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked
#: 016 Function Name: NtAllocateUuids
Status: Not hooked
#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked
#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked
#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked
#: 020 Function Name: NtCallbackReturn
Status: Not hooked
#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked
#: 022 Function Name: NtCancelIoFile
Status: Not hooked
#: 023 Function Name: NtCancelTimer
Status: Not hooked
#: 024 Function Name: NtClearEvent
Status: Not hooked
#: 025 Function Name: NtClose
Status: Not hooked
#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked
#: 027 Function Name: NtCompactKeys
Status: Not hooked
#: 028 Function Name: NtCompareTokens
Status: Not hooked
#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked
#: 030 Function Name: NtCompressKey
Status: Not hooked
#: 031 Function Name: NtConnectPort
Status: Not hooked
#: 032 Function Name: NtContinue
Status: Not hooked
#: 033 Function Name: NtCreateDebugObject
Status: Not hooked
#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked
#: 035 Function Name: NtCreateEvent
Status: Not hooked
#: 036 Function Name: NtCreateEventPair
Status: Not hooked
#: 037 Function Name: NtCreateFile
Status: Not hooked
#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked
#: 039 Function Name: NtCreateJobObject
Status: Not hooked
#: 040 Function Name: NtCreateJobSet
Status: Not hooked
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf750f87e
#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked
#: 043 Function Name: NtCreateMutant
Status: Not hooked
#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked
#: 045 Function Name: NtCreatePagingFile
Status: Not hooked
#: 046 Function Name: NtCreatePort
Status: Not hooked
#: 047 Function Name: NtCreateProcess
Status: Not hooked
#: 048 Function Name: NtCreateProcessEx
Status: Not hooked
#: 049 Function Name: NtCreateProfile
Status: Not hooked
#: 050 Function Name: NtCreateSection
Status: Not hooked
#: 051 Function Name: NtCreateSemaphore
Status: Not hooked
#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked
#: 053 Function Name: NtCreateThread
Status: Not hooked
#: 054 Function Name: NtCreateTimer
Status: Not hooked
#: 055 Function Name: NtCreateToken
Status: Not hooked
#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked
#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked
#: 058 Function Name: NtDebugContinue
Status: Not hooked
#: 059 Function Name: NtDelayExecution
Status: Not hooked
#: 060 Function Name: NtDeleteAtom
Status: Not hooked
#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked
#: 062 Function Name: NtDeleteFile
Status: Not hooked
#: 063 Function Name: NtDeleteKey
Status: Not hooked
#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked
#: 065 Function Name: NtDeleteValueKey
Status: Not hooked
#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked
#: 067 Function Name: NtDisplayString
Status: Not hooked
#: 068 Function Name: NtDuplicateObject
Status: Not hooked
#: 069 Function Name: NtDuplicateToken
Status: Not hooked
#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked
#: 071 Function Name: NtEnumerateKey
Status: Not hooked
#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked
#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked
#: 074 Function Name: NtExtendSection
Status: Not hooked
#: 075 Function Name: NtFilterToken
Status: Not hooked
#: 076 Function Name: NtFindAtom
Status: Not hooked
#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked
#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked
#: 079 Function Name: NtFlushKey
Status: Not hooked
#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked
#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked
#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked
#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked
#: 084 Function Name: NtFsControlFile
Status: Not hooked
#: 085 Function Name: NtGetContextThread
Status: Not hooked
#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked
#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked
#: 088 Function Name: NtGetWriteWatch
Status: Not hooked
#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked
#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked
#: 091 Function Name: NtImpersonateThread
Status: Not hooked
#: 092 Function Name: NtInitializeRegistry
Status: Not hooked
#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked
#: 094 Function Name: NtIsProcessInJob
Status: Not hooked
#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked
#: 096 Function Name: NtListenPort
Status: Not hooked
#: 097 Function Name: NtLoadDriver
Status: Not hooked
#: 098 Function Name: NtLoadKey
Status: Not hooked
#: 099 Function Name: NtLoadKey2
Status: Not hooked
#: 100 Function Name: NtLockFile
Status: Not hooked
#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked
#: 102 Function Name: NtLockRegistryKey
Status: Not hooked
#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked
#: 104 Function Name: NtMakePermanentObject
Status: Not hooked
#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked
#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked
#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked
#: 108 Function Name: NtMapViewOfSection
Status: Not hooked
#: 109 Function Name: NtModifyBootEntry
Status: Not hooked
#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked
#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked
#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked
#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked
#: 114 Function Name: NtOpenEvent
Status: Not hooked
#: 115 Function Name: NtOpenEventPair
Status: Not hooked
#: 116 Function Name: NtOpenFile
Status: Not hooked
#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked
#: 118 Function Name: NtOpenJobObject
Status: Not hooked
#: 119 Function Name: NtOpenKey
Status: Not hooked
#: 120 Function Name: NtOpenMutant
Status: Not hooked
#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked
#: 122 Function Name: NtOpenProcess
Status: Not hooked
#: 123 Function Name: NtOpenProcessToken
Status: Not hooked
#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked
#: 125 Function Name: NtOpenSection
Status: Not hooked
#: 126 Function Name: NtOpenSemaphore
Status: Not hooked
#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked
#: 128 Function Name: NtOpenThread
Status: Not hooked
#: 129 Function Name: NtOpenThreadToken
Status: Not hooked
#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked
#: 131 Function Name: NtOpenTimer
Status: Not hooked
#: 132 Function Name: NtPlugPlayControl
Status: Not hooked
#: 133 Function Name: NtPowerInformation
Status: Not hooked
#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked
#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked
#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked
#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked
#: 138 Function Name: NtPulseEvent
Status: Not hooked
#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked
#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked
#: 141 Function Name: NtQueryBootOptions
Status: Not hooked
#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked
#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked
#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked
#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked
#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked
#: 147 Function Name: NtQueryEaFile
Status: Not hooked
#: 148 Function Name: NtQueryEvent
Status: Not hooked
#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked
#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked
#: 151 Function Name: NtQueryInformationFile
Status: Not hooked
#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked
#: 153 Function Name: NtQueryInformationPort
Status: Not hooked
#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked
#: 155 Function Name: NtQueryInformationThread
Status: Not hooked
#: 156 Function Name: NtQueryInformationToken
Status: Not hooked
#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked
#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked
#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked
#: 160 Function Name: NtQueryKey
Status: Not hooked
#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked
#: 162 Function Name: NtQueryMutant
Status: Not hooked
#: 163 Function Name: NtQueryObject
Status: Not hooked
#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked
#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked
#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked
#: 167 Function Name: NtQuerySection
Status: Not hooked
#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked
#: 169 Function Name: NtQuerySemaphore
Status: Not hooked
#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked
#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked
#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked
#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xf76011a2
#: 174 Function Name: NtQuerySystemTime
Status: Not hooked
#: 175 Function Name: NtQueryTimer
Status: Not hooked
#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked
#: 177 Function Name: NtQueryValueKey
Status: Not hooked
#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked
#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked
#: 180 Function Name: NtQueueApcThread
Status: Not hooked
#: 181 Function Name: NtRaiseException
Status: Not hooked
#: 182 Function Name: NtRaiseHardError
Status: Not hooked
#: 183 Function Name: NtReadFile
Status: Not hooked
#: 184 Function Name: NtReadFileScatter
Status: Not hooked
#: 185 Function Name: NtReadRequestData
Status: Not hooked
#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked
#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked
#: 188 Function Name: NtReleaseMutant
Status: Not hooked
#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked
#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked
#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked
#: 192 Function Name: NtRenameKey
Status: Not hooked
#: 193 Function Name: NtReplaceKey
Status: Not hooked
#: 194 Function Name: NtReplyPort
Status: Not hooked
#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked
#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked
#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked
#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked
#: 199 Function Name: NtRequestPort
Status: Not hooked
#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked
#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked
#: 202 Function Name: NtResetEvent
Status: Not hooked
#: 203 Function Name: NtResetWriteWatch
Status: Not hooked
#: 204 Function Name: NtRestoreKey
Status: Not hooked
#: 205 Function Name: NtResumeProcess
Status: Not hooked
#: 206 Function Name: NtResumeThread
Status: Not hooked
#: 207 Function Name: NtSaveKey
Status: Not hooked
#: 208 Function Name: NtSaveKeyEx
Status: Not hooked
#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked
#: 210 Function Name: NtSecureConnectPort
Status: Not hooked
#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked
#: 212 Function Name: NtSetBootOptions
Status: Not hooked
#: 213 Function Name: NtSetContextThread
Status: Not hooked
#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked
#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked
#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked
#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked
#: 218 Function Name: NtSetEaFile
Status: Not hooked
#: 219 Function Name: NtSetEvent
Status: Not hooked
#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked
#: 221 Function Name: NtSetHighEventPair
Status: Not hooked
#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked
#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked
#: 224 Function Name: NtSetInformationFile
Status: Not hooked
#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked
#: 226 Function Name: NtSetInformationKey
Status: Not hooked
#: 227 Function Name: NtSetInformationObject
Status: Not hooked
#: 228 Function Name: NtSetInformationProcess
Status: Not hooked
#: 229 Function Name: NtSetInformationThread
Status: Not hooked
#: 230 Function Name: NtSetInformationToken
Status: Not hooked
#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked
#: 232 Function Name: NtSetIoCompletion
Status: Not hooked
#: 233 Function Name: NtSetLdtEntries
Status: Not hooked
#: 234 Function Name: NtSetLowEventPair
Status: Not hooked
#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked
#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked
#: 237 Function Name: NtSetSecurityObject
Status: Not hooked
#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked
#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked
#: 240 Function Name: NtSetSystemInformation
Status: Not hooked
#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked
#: 242 Function Name: NtSetSystemTime
Status: Not hooked
#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked
#: 244 Function Name: NtSetTimer
Status: Not hooked
#: 245 Function Name: NtSetTimerResolution
Status: Not hooked
#: 246 Function Name: NtSetUuidSeed
Status: Not hooked
#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf750fbfe
#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked
#: 249 Function Name: NtShutdownSystem
Status: Not hooked
#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked
#: 251 Function Name: NtStartProfile
Status: Not hooked
#: 252 Function Name: NtStopProfile
Status: Not hooked
#: 253 Function Name: NtSuspendProcess
Status: Not hooked
#: 254 Function Name: NtSuspendThread
Status: Not hooked
#: 255 Function Name: NtSystemDebugControl
Status: Not hooked
#: 256 Function Name: NtTerminateJobObject
Status: Not hooked
#: 257 Function Name: NtTerminateProcess
Status: Not hooked
#: 258 Function Name: NtTerminateThread
Status: Not hooked
#: 259 Function Name: NtTestAlert
Status: Not hooked
#: 260 Function Name: NtTraceEvent
Status: Not hooked
#: 261 Function Name: NtTranslateFilePath
Status: Not hooked
#: 262 Function Name: NtUnloadDriver
Status: Not hooked
#: 263 Function Name: NtUnloadKey
Status: Not hooked
#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked
#: 265 Function Name: NtUnlockFile
Status: Not hooked
#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked
#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked
#: 268 Function Name: NtVdmControl
Status: Not hooked
#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked
#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked
#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked
#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked
#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked
#: 274 Function Name: NtWriteFile
Status: Not hooked
#: 275 Function Name: NtWriteFileGather
Status: Not hooked
#: 276 Function Name: NtWriteRequestData
Status: Not hooked
#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked
#: 278 Function Name: NtYieldExecution
Status: Not hooked
#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked
#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked
#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked
#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked
#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/24 13:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================
Hidden Services
-------------------
Service Name: 32ba6ee53eb113fe6f9cfec56b71c99f
Image Pathsystem32\32ba6ee53eb113fe6f9cfec56b71c99f.sys
Hi,
Mixed reviews on that log. It may take a few scans to see exactly whats going on.
Try this other one please.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).
Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and post it in your next reply.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
usmc4295
2009-10-24, 22:44
cannot run gmer.exe as soon as it starts up it gets shutdown...
Download and run Win32kDiag:
Download Win32kDiag from any of the following locations and save it to your Desktop.
Download Win32kDiag (Win32kDiag.exe) - #1 (http://ad13.geekstogo.com/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #2 (http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe)
Download Win32kDiag (Win32kDiag.exe) - #3 (http://rootrepeal.psikotick.com/Win32kDiag.exe)
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
usmc4295
2009-10-24, 22:54
ok here it is
Running from: C:\Documents and Settings\Owner\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Finished!
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
C:\windows\system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys
usmc4295
2009-10-24, 23:24
keep getting an error msg that the domain for www.virustotal.com in inoperable and or timing out
Lets see if you can run Combofix, follow the instructions to rename it
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif
http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
usmc4295
2009-10-24, 23:31
combofix shutdown partial way through stating
!! ALERT !! It is NOT SAFE to continue!
the contents of the combofix package has been compromised
Note: you may be infected with a file patching virus 'Virut'
Hi,
You may be infected with Virut, which is an uncleanable virus that infects all your .exe files and others.
See if you can run this online virus scanner
Please run this free online virus scanner from Kaspersky (http://www.kaspersky.com/virusscanner)
Click on the Accept button and install any components it needs.
The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run. (At times it may appear to stall)
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Once the scan is complete, click on View scan report To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif
usmc4295
2009-10-24, 23:49
ok getting the same msg about kapersky being an invalid website,I did however rename the gmer and hjt files and they are running will have their scan results for you in a minute
usmc4295
2009-10-25, 00:03
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-24 16:01:49
Windows 5.1.2600 Service Pack 3
Running: gm-er.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fweiipod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF750F87E]
SSDT \SystemRoot\System32\Drivers\Beep.SYS ZwQuerySystemInformation [0xF76011A2]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF750FBFE]
Code 32ba6ee53eb113fe6f9cfec56b71c99f.sys (ckmd/Noves Inc) ZwCreateKey [0xF74C2C8E]
Code 32ba6ee53eb113fe6f9cfec56b71c99f.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF74C2D13]
Code 32ba6ee53eb113fe6f9cfec56b71c99f.sys (ckmd/Noves Inc) ZwOpenKey [0xF74C2C10]
Code 32ba6ee53eb113fe6f9cfec56b71c99f.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF74C2999]
Code 32ba6ee53eb113fe6f9cfec56b71c99f.sys (ckmd/Noves Inc) IoCreateFile
Code 32ba6ee53eb113fe6f9cfec56b71c99f.sys (ckmd/Noves Inc) NtQueryDirectoryFile
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys (*** hidden *** ) [BOOT] 32ba6ee53eb113fe6f9cfec56b71c99f <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=32ba6ee53eb113fe6f9cfec56b71c99f&path=system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys&wmid=Dkx003&idate=2009-02-24 09:01:06:081&last_download_time=2009-10-24 11:42:14.984&first_skip=1&last_update_ip_pos=0
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Tag 6
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ImagePath system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@DisplayName 32ba6ee53eb113fe6f9cfec56b71c99f
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=32ba6ee53eb113fe6f9cfec56b71c99f&path=system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys&wmid=Dkx003&idate=2009-02-24 09:01:06:081&last_download_time=2009-2-24 9:4:6.626&first_skip=1
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Tag 6
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ImagePath system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@DisplayName 32ba6ee53eb113fe6f9cfec56b71c99f
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=32ba6ee53eb113fe6f9cfec56b71c99f&path=system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys&wmid=Dkx003&idate=2009-02-24 09:01:06:081&last_download_time=2009-2-24 9:4:6.626&first_skip=1
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Tag 6
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ImagePath system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@DisplayName 32ba6ee53eb113fe6f9cfec56b71c99f
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@c ®istry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\32ba6ee53eb113fe6f9cfec56b71c99f&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=32ba6ee53eb113fe6f9cfec56b71c99f&path=system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys&wmid=Dkx003&idate=2009-02-24 09:01:06:081&last_download_time=2009-2-24 9:4:6.626&first_skip=1
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Tag 6
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@ImagePath system32\32ba6ee53eb113fe6f9cfec56b71c99f.sys
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@DisplayName 32ba6ee53eb113fe6f9cfec56b71c99f
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\32ba6ee53eb113fe6f9cfec56b71c99f\Security@Security 0x01 0x00 0x14 0x80 ...
---- Files - GMER 1.0.15 ----
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8GDVJZSU\base_grass[1].css 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8GDVJZSU\jump1[1].htm 0 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8GDVJZSU\index[1].htm 0 bytes
---- EOF - GMER 1.0.15 ----
Hi,
Afraid I have bad news for you. I have had other experts look over this thread to confirm my findings and you are infected with Virut This is a file infecter that infects every .exe and .scr file on your system, there is no way to repair a system infected with this nasty virus. All your programs and critical windows files are infected along with there backups , there is no other solution but to format your hard drive and do a clean install of windows. I mean you need to take the hard drive down to bare metal, even deleting the partition the Operating system resides on and create a new one during the installation. If you back up any of your programs and most files, they are infected and then you will be infected again . When this virus first surfaced, it infected all exe and scr ( screensaver files ) but from what we have been reading is that now it infects even other files, which ones I really am not sure.
Besides being uncleanable, it leaves your system compromised, which means that it can never be trusted to do any online banking or purchases from sites that require a credit card. You should access a known clean computer and change all your passwords for sites that you frequent.
You can read about it here.
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html
If you need help formating and with the reinstall of windows please let me know and I can link you to a windows support site that can help you.
usmc4295
2009-10-25, 02:28
awww geez was afraid of that my other comp was beyond repair with the same issues except not explorer.exe fails at initial boot and automatically shuts down yay time to go give microsoft more of my hard earned money buying two more copies of windows, thank you for all of your help I greatly appreciate it:thanks::thanks:
Your welcome.
Take care,
Ken