Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trying to get rid of trojan, always 1 step ahead of me [Moved]


  • Please log in to reply
17 replies to this topic

#1 dustinshadoe

dustinshadoe

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 15 July 2009 - 10:00 PM

Hey all, after spending the better part of today trying to fix my computer, I'm now posting here in hopes someone more knowledgeable can help me out. I have what I think is a trojan or a rootkit infecting my computer, and it seems like with everything I try, it's always one step ahead of me.

I'm running XP Home with SP2. Unfortunately I haven't had the disk for a long time, and I'm hoping I can get by without having to buy a new one.

Here a small recap of SOME of the things I've tried, in no particular order...

HijackThis
- works, I can post a log if needed.
MalwareBytes - works, gotten rid of some things, detects but can't get rid of uacinit.dll however, it comes back
ComboFix - opens after renaming, but tells me AVG is running though I'm pretty sure it isn't. Crashes the computer if I try to run it anyway.
I've also cleaned up all temp files/cookies/etc.

I've tried numerous other programs, many won't open due to various errors.

Symptoms:
- Originally, Windows ended up freezing. After rebooting, I'd get about 10 seconds on the desktop before it froze again - the mouse however still worked. After more reboots, I started getting a black screen after things loaded, mouse still worked, nothing else did. I managed to get into Safe Mode with networking, cleaned things up a bit, then managed to get back into regular mode for a while. Not sure what changed, but now when I try to boot in regular mode, Windows stops at the Welcome screen; mouse works again, nothing else. I'm now stuck in Safe Mode.
- Can't seem to open Device Manager or any other .msc file, though they are still present I believe.
- Some anti-virus programs need renaming in order to open.
- Various websites - seemingly just security websites - redirect to spam websites. Strangely, only Google search result links seem affected. I can get around this by clicking Google's cached links, or entering url's into the address bar manually.

That's all I can think to say.. I can provide any other info requested. I'm aware that my computer is now compromised but I really want to avoid having to reformat and reinstall everything. Unfortunately, I will be away for a couple weeks as of tomorrow evening, but I can still reply during that period, though from a different computer of course.

Thanks!

Edited by dustinshadoe, 15 July 2009 - 10:03 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:39 PM

Posted 15 July 2009 - 10:43 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:39 PM

Posted 15 July 2009 - 10:50 PM

Hello and welcome,,, We are really busy here...

Please post your MBam (Malwarebytes) log
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Next run RootRepeal.
Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 16 July 2009 - 12:24 AM

Hi boopme, thanks for the quick reply,

I just finished running the MalwareBytes scan, log is below:


Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 2

7/16/2009 12:56:47 AM
mbam-log-2009-07-16 (00-56-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 316719
Time elapsed: 43 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\Desktop\avenger.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


I clicked "Remove Items", haven't done a reboot yet though; as mentioned in original post, the scanner picked up on uacinit.dll before but can't seem to get rid of it for good.

I downloaded and extracted RootRepeal to my desktop and tried running it. This is where it gets fun...
Before opening, it displayed - 5 times - an error message saying "Could not read the boot sector. Try adjusting the Disk Access Level in the options dialog." After clicking through the 5 errors, it loads up with one final warning saying "Could not find module file on disk!".
I continued as told, went to Report tab, clicked Scan, checked all options, selected the C: drive and hit ok. When I do this and leave the Disk Access Level settings at default, it almost seems like it's going through the scan, but continues to give me the same errors as it did on startup. Last errors it gives me say "Attempt to read from address: 0x000000" and then "Could not read system registry! Please contact the author!" and then it just closes altogether. Now, I tried this again, this time changing the Disk Access Level setting to Low, but rather than give me any errors, it just freezes everything up altogether, except the mouse. I had to hit the computer's reset button.

So, unfortunately all I have is this crash report:

ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x00422290
Attempt to read from address: 0x00000000



Thanks again for your reply, I'm interested in what I could attempt next. I appreciate the help, though if busy, please don't hesitate to assist others first.

Dustin

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:39 PM

Posted 16 July 2009 - 08:53 AM

HI, Ok rerun MBAM. in normal mode. Click remove Selected... Then reboot to normal mode. TRY RootRepeal again..

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 16 July 2009 - 11:51 AM

Hi again,

I was skeptical about being able to reboot into normal mode, but I gave it a shot - however, using msconfig, I deselected the option to load start files. I rebooted, came to the Welcome screen, and surprisingly it then loaded the desktop. I was disconnected from the internet at the time.

I ran MalwareBytes again, logfile is below:

Malwarebytes' Anti-Malware 1.39
Database version: 2435
Windows 5.1.2600 Service Pack 2

7/16/2009 12:25:04 PM
mbam-log-2009-07-16 (12-25-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 316921
Time elapsed: 41 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


I was prompted to reboot at this point. Before I did however, I gave RootRepeal another shot from the Desktop. Unfortunately I got the same errors as before about not being able to read the boot sector. I closed RootRepeal and rebooted at this point.
After the Windows loading screen finished, I was taken to the Welcome screen, where once again it stayed, nothing being functional besides the mouse. I restarted the machine a couple more times, these times being taken to a black screen with only the cursor visible. I hit F5 (instead of F8 on my computer) upon the next reboot and selected "Last known good configuration". After the loading screen it took me back to the Welcome screen again, where it stopped again.

I've now booted back into Safe Mode with networking. I haven't tried running ATF or SuperAntiSpyware yet as you instructed me to do so in regular mode, which I can't seem to get back into for the time being. Should I try them anyway, or is there something else you can suggest?

Thanks,

Dustin

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:39 PM

Posted 16 July 2009 - 12:05 PM

Hi yes try SAS, ATF and rootrpeal in any mode they shou;d still find things.. As we remove more we should get better performance.. Just tell which mode each tool was run in so I can telll what to do next,thanks..You're doing well..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 16 July 2009 - 03:52 PM

Hey,

I managed to reboot back into normal mode again, and I ran the SuperAntiSpyware setup after having to rename the file. The trojan/malware/etc actually made the setup window so small that I couldn't actually see anything on any of the screens, and I couldn't resize them. I managed to get it installed by just pressing Enter until it completed, though I'm not sure what options were selected in doing so. I noticed actually the same thing happened when I tried to install a demo of Kaspersky, though I never tried pressing Enter.

Anyway, I ran ATF, cleaned out all files and Firefox files except for passwords. I did this in Safe Mode.

RootRepeal continues not to function in either Safe Mode or regular mode.

I then ran SAS in Safe Mode as well. Unfortunately I never let the scan complete as I have to leave soon, so I understand if I should come back later and run it again fully. It did find quite a few things. After hitting the button to Quarantine/Remove, it began the process, however it must have removed an important system file as I was prompted that the system would restart in 60 seconds due to a file (unfortunately not sure which file) had closed unexpectedly. The quarantine/remove process managed to get about half way before the system reset, so I'm not sure what was left.

Here is the log I have:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/16/2009 at 04:35 PM

Application Version : 4.26.1006

Core Rules Database Version : 3999
Trace Rules Database Version: 1939

Scan type : Complete Scan
Total Scan Time : 00:51:33

Memory items scanned : 264
Memory threats detected : 2
Registry items scanned : 6604
Registry threats detected : 346
File items scanned : 91217
File threats detected : 6

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACCSDVMJXLKMNARAGDA.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACCSDVMJXLKMNARAGDA.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACJXFVIBJGCEYTAOSRM.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACJXFVIBJGCEYTAOSRM.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}
HKCR\CLSID\{EC43E3FD-5C60-46A6-97D7-E0B85DBDD6C4}\InprocServer32

Adware.Tracking Cookie
C:\Documents and Settings\Main\Cookies\main@ad.yieldmanager[1].txt
C:\Documents and Settings\Main\Cookies\main@ads.teleint[2].txt
C:\Documents and Settings\Main\Cookies\main@ad.yieldmanager[2].txt

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Optimization
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come%20together%22%20acoustic%20cover
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come%20together%22%20acoustic%20cover#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come%20together%22%20acoustic%20cover#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come%20together%22%20acoustic%20cover#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+acoustic+cover
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+acoustic+cover#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+acoustic+cover#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+acoustic+cover#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+cover
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+cover#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+cover#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\%22come+together%22+cover#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\3415+Dixie+Rd+mississauga
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\3415+Dixie+Rd+mississauga#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\3415+Dixie+Rd+mississauga#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\3415+Dixie+Rd+mississauga#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+airport
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+airport#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+airport#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+airport#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+cuba+airport
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+cuba+airport#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+cuba+airport#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\camaguey+cuba+airport#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come%20together%20michael%20hedges
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come%20together%20michael%20hedges#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come%20together%20michael%20hedges#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come%20together%20michael%20hedges#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come+together+michael+hedges
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come+together+michael+hedges#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come+together+michael+hedges#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\come+together+michael+hedges#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\cuba+flights
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\cuba+flights#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\cuba+flights#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\cuba+flights#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\e36%20rims%20Toronto
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\e36%20rims%20Toronto#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\e36%20rims%20Toronto#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\e36%20rims%20Toronto#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Holguin
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Holguin#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Holguin#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Holguin#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+airport
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+airport#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+airport#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+airport#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+flights
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+flights#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+flights#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\holguin+flights#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://freeforum.avg.com/read.php%3F4,158849,173350
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://freeforum.avg.com/read.php%3F4,158849,173350#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://freeforum.avg.com/read.php%3F4,158849,173350#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://freeforum.avg.com/read.php%3F4,158849,173350#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.kayak.com/in%3Fa%3Dgg%26p%3Dcamaguey_air%252Fcity_%252B_air_1%252Fair%26url%3D%252Fh%252Flanding%252F4%253Fkw%253DCamaguey%252BAir%2526product%253Dair
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.kayak.com/in%3Fa%3Dgg%26p%3Dcamaguey_air%252Fcity_%252B_air_1%252Fair%26url%3D%252Fh%252Flanding%252F4%253Fkw%253DCamaguey%252BAir%2526product%253Dair#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.kayak.com/in%3Fa%3Dgg%26p%3Dcamaguey_air%252Fcity_%252B_air_1%252Fair%26url%3D%252Fh%252Flanding%252F4%253Fkw%253DCamaguey%252BAir%2526product%253Dair#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.kayak.com/in%3Fa%3Dgg%26p%3Dcamaguey_air%252Fcity_%252B_air_1%252Fair%26url%3D%252Fh%252Flanding%252F4%253Fkw%253DCamaguey%252BAir%2526product%253Dair#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.redtag.ca/flights/cuba.php
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.redtag.ca/flights/cuba.php#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.redtag.ca/flights/cuba.php#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.redtag.ca/flights/cuba.php#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.sunwing.ca/flights/default.asp
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.sunwing.ca/flights/default.asp#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.sunwing.ca/flights/default.asp#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://www.sunwing.ca/flights/default.asp#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie%20acoustic
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie%20acoustic#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie%20acoustic#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie%20acoustic#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie+acoustic
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie+acoustic#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie+acoustic#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\jitterboogie+acoustic#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs%20frosted%20flakes
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs%20frosted%20flakes#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs%20frosted%20flakes#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs%20frosted%20flakes#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs+frosted+flakes
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs+frosted+flakes#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs+frosted+flakes#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\kelloggs+frosted+flakes#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\montego+bay
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\montego+bay#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\montego+bay#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\montego+bay#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario%20license%20plate%20stickers
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario%20license%20plate%20stickers#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario%20license%20plate%20stickers#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario%20license%20plate%20stickers#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+sticker+2009
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+sticker+2009#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+sticker+2009#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+sticker+2009#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+stickers
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+stickers#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+stickers#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+license+plate+stickers#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+mto+office+dixie+bloor
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+mto+office+dixie+bloor#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+mto+office+dixie+bloor#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ontario+mto+office+dixie+bloor#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\pearson+airport+flight+schedule
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\pearson+airport+flight+schedule#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\pearson+airport+flight+schedule#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\pearson+airport+flight+schedule#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\reboot+in+safe+mode
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\reboot+in+safe+mode#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\reboot+in+safe+mode#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\reboot+in+safe+mode#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Santo+Domingo
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Santo+Domingo#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Santo+Domingo#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Santo+Domingo#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2+trojan
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2+trojan#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2+trojan#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2+trojan#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2.VXV
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2.VXV#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2.VXV#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\SHeur2.VXV#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sunwing+airlines
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sunwing+airlines#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sunwing+airlines#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sunwing+airlines#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:0uDhAiDUNWUnUM::www.map-of-cuba.co.uk/images/holguin.gif
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:0uDhAiDUNWUnUM::www.map-of-cuba.co.uk/images/holguin.gif#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:0uDhAiDUNWUnUM::www.map-of-cuba.co.uk/images/holguin.gif#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:0uDhAiDUNWUnUM::www.map-of-cuba.co.uk/images/holguin.gif#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:2uO2B1ODH6EhxM::www.wowcuba.com/graphics/varadero-1.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:2uO2B1ODH6EhxM::www.wowcuba.com/graphics/varadero-1.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:2uO2B1ODH6EhxM::www.wowcuba.com/graphics/varadero-1.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:2uO2B1ODH6EhxM::www.wowcuba.com/graphics/varadero-1.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:5MFxgLXRAlkjyM:http://www.plateshack.com/y2k/Ontario/on2002.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:5MFxgLXRAlkjyM:http://www.plateshack.com/y2k/Ontario/on2002.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:5MFxgLXRAlkjyM:http://www.plateshack.com/y2k/Ontario/on2002.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:5MFxgLXRAlkjyM:http://www.plateshack.com/y2k/Ontario/on2002.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:6oet4rq7sMRMGM::www.cubatoday.com/Cubaimages/holguin-beach.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:6oet4rq7sMRMGM::www.cubatoday.com/Cubaimages/holguin-beach.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:6oet4rq7sMRMGM::www.cubatoday.com/Cubaimages/holguin-beach.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:6oet4rq7sMRMGM::www.cubatoday.com/Cubaimages/holguin-beach.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:73vhXB-eSghasM::media-cdn.tripadvisor.com/media/photo-s/00/1b/f0/56/holguin.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:73vhXB-eSghasM::media-cdn.tripadvisor.com/media/photo-s/00/1b/f0/56/holguin.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:73vhXB-eSghasM::media-cdn.tripadvisor.com/media/photo-s/00/1b/f0/56/holguin.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:73vhXB-eSghasM::media-cdn.tripadvisor.com/media/photo-s/00/1b/f0/56/holguin.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:agjKCyGToa8hPM:http://jan.ucc.nau.edu/~jlp92/Images/FrostedFlakes.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:agjKCyGToa8hPM:http://jan.ucc.nau.edu/~jlp92/Images/FrostedFlakes.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:agjKCyGToa8hPM:http://jan.ucc.nau.edu/~jlp92/Images/FrostedFlakes.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:agjKCyGToa8hPM:http://jan.ucc.nau.edu/~jlp92/Images/FrostedFlakes.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:aSHmgApss1Y3mM:http://bydianedaniel.files.wordpress.com/2008/12/200812_55_ontario-license-plate.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:aSHmgApss1Y3mM:http://bydianedaniel.files.wordpress.com/2008/12/200812_55_ontario-license-plate.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:aSHmgApss1Y3mM:http://bydianedaniel.files.wordpress.com/2008/12/200812_55_ontario-license-plate.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:aSHmgApss1Y3mM:http://bydianedaniel.files.wordpress.com/2008/12/200812_55_ontario-license-plate.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bkzgsXfLNTTNAM::www.martintravelservices.com/superclubsimages/breezes_montego_bay.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bkzgsXfLNTTNAM::www.martintravelservices.com/superclubsimages/breezes_montego_bay.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bkzgsXfLNTTNAM::www.martintravelservices.com/superclubsimages/breezes_montego_bay.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bkzgsXfLNTTNAM::www.martintravelservices.com/superclubsimages/breezes_montego_bay.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bO099iYijj34BM::learnspanishdc.com/weblog/wp-content/uploads/2008/02/varadero.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bO099iYijj34BM::learnspanishdc.com/weblog/wp-content/uploads/2008/02/varadero.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bO099iYijj34BM::learnspanishdc.com/weblog/wp-content/uploads/2008/02/varadero.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:bO099iYijj34BM::learnspanishdc.com/weblog/wp-content/uploads/2008/02/varadero.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:FBYZDhiWWSlNpM:http://www.wired.com/news/images/full/mac_geek_f.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:FBYZDhiWWSlNpM:http://www.wired.com/news/images/full/mac_geek_f.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:FBYZDhiWWSlNpM:http://www.wired.com/news/images/full/mac_geek_f.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:FBYZDhiWWSlNpM:http://www.wired.com/news/images/full/mac_geek_f.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:hoaaspcTSpTAsM:http://www.ontarioraid.ca/decal.JPG
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:hoaaspcTSpTAsM:http://www.ontarioraid.ca/decal.JPG#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:hoaaspcTSpTAsM:http://www.ontarioraid.ca/decal.JPG#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:hoaaspcTSpTAsM:http://www.ontarioraid.ca/decal.JPG#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:ioIAUzu389dDsM::expat21.files.wordpress.com/2008/12/varadero-cuba.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:ioIAUzu389dDsM::expat21.files.wordpress.com/2008/12/varadero-cuba.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:ioIAUzu389dDsM::expat21.files.wordpress.com/2008/12/varadero-cuba.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:ioIAUzu389dDsM::expat21.files.wordpress.com/2008/12/varadero-cuba.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:lQbMQ_MIAD-rcM::cache.virtualtourist.com/1487638-Montego_Bay-Montego_Bay.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:lQbMQ_MIAD-rcM::cache.virtualtourist.com/1487638-Montego_Bay-Montego_Bay.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:lQbMQ_MIAD-rcM::cache.virtualtourist.com/1487638-Montego_Bay-Montego_Bay.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:lQbMQ_MIAD-rcM::cache.virtualtourist.com/1487638-Montego_Bay-Montego_Bay.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:msjCnZE78xI7fM:http://www.sweepstakeslovers.com/wp-content/uploads/yapb_cache/field_makeover.1w04blkdcuzo4ook8ok8skccw.7nqy9wuqvd0kck4cowsk8o0ss.th.jpeg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:msjCnZE78xI7fM:http://www.sweepstakeslovers.com/wp-content/uploads/yapb_cache/field_makeover.1w04blkdcuzo4ook8ok8skccw.7nqy9wuqvd0kck4cowsk8o0ss.th.jpeg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:msjCnZE78xI7fM:http://www.sweepstakeslovers.com/wp-content/uploads/yapb_cache/field_makeover.1w04blkdcuzo4ook8ok8skccw.7nqy9wuqvd0kck4cowsk8o0ss.th.jpeg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:msjCnZE78xI7fM:http://www.sweepstakeslovers.com/wp-content/uploads/yapb_cache/field_makeover.1w04blkdcuzo4ook8ok8skccw.7nqy9wuqvd0kck4cowsk8o0ss.th.jpeg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:mZr_WC3PgZzLkM:http://members.cox.net/ww2jeep/WorldWarTwoLicensePlate/WW2FederalUseTaxSticker.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:mZr_WC3PgZzLkM:http://members.cox.net/ww2jeep/WorldWarTwoLicensePlate/WW2FederalUseTaxSticker.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:mZr_WC3PgZzLkM:http://members.cox.net/ww2jeep/WorldWarTwoLicensePlate/WW2FederalUseTaxSticker.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:mZr_WC3PgZzLkM:http://members.cox.net/ww2jeep/WorldWarTwoLicensePlate/WW2FederalUseTaxSticker.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:PU9gUfYxI-KJzM::www.destination360.com/caribbean/jamaica/images/s/montego-bay.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:PU9gUfYxI-KJzM::www.destination360.com/caribbean/jamaica/images/s/montego-bay.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:PU9gUfYxI-KJzM::www.destination360.com/caribbean/jamaica/images/s/montego-bay.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:PU9gUfYxI-KJzM::www.destination360.com/caribbean/jamaica/images/s/montego-bay.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:rHUFtRV_mxUmqM::www.artsjournal.com/outthere/montego%252520bay.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:rHUFtRV_mxUmqM::www.artsjournal.com/outthere/montego%252520bay.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:rHUFtRV_mxUmqM::www.artsjournal.com/outthere/montego%252520bay.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:rHUFtRV_mxUmqM::www.artsjournal.com/outthere/montego%252520bay.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:sNZSEee8g0uHMM:http://www.pl8s.com/ps-photos-6/6982.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:sNZSEee8g0uHMM:http://www.pl8s.com/ps-photos-6/6982.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:sNZSEee8g0uHMM:http://www.pl8s.com/ps-photos-6/6982.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:sNZSEee8g0uHMM:http://www.pl8s.com/ps-photos-6/6982.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:t1oiHTQRJXGFJM:http://licenseplatemania.com/fotos/canada/ontario7.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:t1oiHTQRJXGFJM:http://licenseplatemania.com/fotos/canada/ontario7.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:t1oiHTQRJXGFJM:http://licenseplatemania.com/fotos/canada/ontario7.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:t1oiHTQRJXGFJM:http://licenseplatemania.com/fotos/canada/ontario7.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uJkqmUS9204M4M:http://farm3.static.flickr.com/2046/2290863503_9d30ebe99f.jpg%3Fv%3D0
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uJkqmUS9204M4M:http://farm3.static.flickr.com/2046/2290863503_9d30ebe99f.jpg%3Fv%3D0#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uJkqmUS9204M4M:http://farm3.static.flickr.com/2046/2290863503_9d30ebe99f.jpg%3Fv%3D0#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uJkqmUS9204M4M:http://farm3.static.flickr.com/2046/2290863503_9d30ebe99f.jpg%3Fv%3D0#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uxXiJ4IriwJRGM:http://www.pl8s.com/ps-photos-6/6986.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uxXiJ4IriwJRGM:http://www.pl8s.com/ps-photos-6/6986.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uxXiJ4IriwJRGM:http://www.pl8s.com/ps-photos-6/6986.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:uxXiJ4IriwJRGM:http://www.pl8s.com/ps-photos-6/6986.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:u_Ux1vV9IbNf_M:http://farm3.static.flickr.com/2080/2290390136_00e5b4284e.jpg%3Fv%3D0
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:u_Ux1vV9IbNf_M:http://farm3.static.flickr.com/2080/2290390136_00e5b4284e.jpg%3Fv%3D0#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:u_Ux1vV9IbNf_M:http://farm3.static.flickr.com/2080/2290390136_00e5b4284e.jpg%3Fv%3D0#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:u_Ux1vV9IbNf_M:http://farm3.static.flickr.com/2080/2290390136_00e5b4284e.jpg%3Fv%3D0#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:WN03dIZWlFd8qM::media-cdn.tripadvisor.com/media/photo-s/01/0d/dd/95/holguin-playa-esmeralda.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:WN03dIZWlFd8qM::media-cdn.tripadvisor.com/media/photo-s/01/0d/dd/95/holguin-playa-esmeralda.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:WN03dIZWlFd8qM::media-cdn.tripadvisor.com/media/photo-s/01/0d/dd/95/holguin-playa-esmeralda.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:WN03dIZWlFd8qM::media-cdn.tripadvisor.com/media/photo-s/01/0d/dd/95/holguin-playa-esmeralda.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:XXJak4jVFKqanM:http://blogs.abcnews.com/photos/uncategorized/2008/08/31/obama_biden_frosted_flakes_2.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:XXJak4jVFKqanM:http://blogs.abcnews.com/photos/uncategorized/2008/08/31/obama_biden_frosted_flakes_2.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:XXJak4jVFKqanM:http://blogs.abcnews.com/photos/uncategorized/2008/08/31/obama_biden_frosted_flakes_2.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:XXJak4jVFKqanM:http://blogs.abcnews.com/photos/uncategorized/2008/08/31/obama_biden_frosted_flakes_2.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:z8aiQqXayuEDrM:http://cache.daylife.com/imageserve/04HIeLj8Wk2Ar/340x.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:z8aiQqXayuEDrM:http://cache.daylife.com/imageserve/04HIeLj8Wk2Ar/340x.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:z8aiQqXayuEDrM:http://cache.daylife.com/imageserve/04HIeLj8Wk2Ar/340x.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:z8aiQqXayuEDrM:http://cache.daylife.com/imageserve/04HIeLj8Wk2Ar/340x.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:zhtt6H5pjR1RhM::wastemanagementsolution.org/images/varadero-beach.jpg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:zhtt6H5pjR1RhM::wastemanagementsolution.org/images/varadero-beach.jpg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:zhtt6H5pjR1RhM::wastemanagementsolution.org/images/varadero-beach.jpg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tbn:zhtt6H5pjR1RhM::wastemanagementsolution.org/images/varadero-beach.jpg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Varadero
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Varadero#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Varadero#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\Varadero#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\windows+xp+start+in+safe+mode
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\windows+xp+start+in+safe+mode#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\windows+xp+start+in+safe+mode#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\windows+xp+start+in+safe+mode#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\me
HKLM\SOFTWARE\Microsoft\MS Optimization\me#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\me#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\me#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\me#LBL
HKLM\SOFTWARE\Microsoft\MS Optimization\me#MN
HKLM\SOFTWARE\Microsoft\MS Optimization\mm
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\mm#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\s4
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\s4#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\se
HKLM\SOFTWARE\Microsoft\MS Optimization\se#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\se#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\se#CNT
HKLM\SOFTWARE\Microsoft\MS Optimization\tr
HKLM\SOFTWARE\Microsoft\MS Optimization\zz
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#LTM
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#CDY
HKLM\SOFTWARE\Microsoft\MS Optimization\zz#CNT

Rogue.Component/Trace
HKU\S-1-5-21-2052111302-1060284298-682003330-1004\Software\Microsoft\FIAS4051

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#2469d708
HKLM\SOFTWARE\UAC\mask#dd118673
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init


It seems like some of those files are harmless (jpegs?) but I'm not sure.

Anyway, I will be leaving soon out of province and won't be back for a couple of weeks. I can post back if needed, though I'm not sure if there's much point without access to the problem computer. I'll definitely resume this once I get back.

Thanks again, I appreciate your assistance and professionalism thus far,

Dustin

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:39 PM

Posted 16 July 2009 - 06:36 PM

Ok your topic will be here. Update the SAS and run it again . It will probably take a couple hours looking at this. Rootrepeal may run after that.
You will definately need to do this too.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 06 August 2009 - 09:44 PM

Hi again, I'm back from my trip and ready to jump back into this. Here's what I've done specifically since being back:

I logged in under my Administrator account in Safe Mode w/ Networking, updated the SuperAntiSpyware definitions and ran a complete scan on my C: drive. It was turning up a number of files, but got stuck on one .js file that was in my Adobe folder which I believe is harmless. I tried hitting the Next button, but this ended up freezing the program, and then freezing the desktop - mouse still moved though, but wouldn't do anything. I restarted the computer.

Next time around I booted into my Main account as this is the one I normally use. I updated the SAS definitions again. This time, I ran the Quick scan as I wanted it to complete. Let me know if I should try this again doing a complete scan or under my Administrator account again. Here's the SAS report:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/06/2009 at 02:49 PM

Application Version : 4.26.1006

Core Rules Database Version : 4038
Trace Rules Database Version: 1978

Scan type : Quick Scan
Total Scan Time : 00:36:45

Memory items scanned : 260
Memory threats detected : 1
Registry items scanned : 407
Registry threats detected : 73
File items scanned : 43898
File threats detected : 2

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACJXFVIBJGCEYTAOSRM.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACJXFVIBJGCEYTAOSRM.DLL

Rogue.Component/Trace
HKU\S-1-5-21-2052111302-1060284298-682003330-1004\Software\Microsoft\FIAS4051

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#ecaab67d-7d92-4ec1-ac32-3087345120a3
HKLM\SOFTWARE\UAC#val
HKLM\SOFTWARE\UAC#sval
HKLM\SOFTWARE\UAC#pval
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#f2065612
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\connections#905b3008
HKLM\SOFTWARE\UAC\disallowed
HKLM\SOFTWARE\UAC\disallowed#trsetup.exe
HKLM\SOFTWARE\UAC\disallowed#ViewpointService.exe
HKLM\SOFTWARE\UAC\disallowed#ViewMgr.exe
HKLM\SOFTWARE\UAC\disallowed#SpySweeper.exe
HKLM\SOFTWARE\UAC\disallowed#SUPERAntiSpyware.exe
HKLM\SOFTWARE\UAC\disallowed#SpySub.exe
HKLM\SOFTWARE\UAC\disallowed#SpywareTerminatorShield.exe
HKLM\SOFTWARE\UAC\disallowed#SpyHunter3.exe
HKLM\SOFTWARE\UAC\disallowed#XoftSpy.exe
HKLM\SOFTWARE\UAC\disallowed#SpyEraser.exe
HKLM\SOFTWARE\UAC\disallowed#combofix.exe
HKLM\SOFTWARE\UAC\disallowed#otscanit.exe
HKLM\SOFTWARE\UAC\disallowed#mbam.exe
HKLM\SOFTWARE\UAC\disallowed#mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#flash_disinfector.exe
HKLM\SOFTWARE\UAC\disallowed#otmoveit2.exe
HKLM\SOFTWARE\UAC\disallowed#smitfraudfix.exe
HKLM\SOFTWARE\UAC\disallowed#prevxcsifree.exe
HKLM\SOFTWARE\UAC\disallowed#download_mbam-setup.exe
HKLM\SOFTWARE\UAC\disallowed#cbo_setup.exe
HKLM\SOFTWARE\UAC\disallowed#spywareblastersetup.exe
HKLM\SOFTWARE\UAC\disallowed#rminstall.exe
HKLM\SOFTWARE\UAC\disallowed#sdsetup.exe
HKLM\SOFTWARE\UAC\disallowed#vundofixsvc.exe
HKLM\SOFTWARE\UAC\disallowed#daft.exe
HKLM\SOFTWARE\UAC\disallowed#gmer.exe
HKLM\SOFTWARE\UAC\disallowed#catchme.exe
HKLM\SOFTWARE\UAC\disallowed#mcpr.exe
HKLM\SOFTWARE\UAC\disallowed#sdfix.exe
HKLM\SOFTWARE\UAC\disallowed#hjtinstall.exe
HKLM\SOFTWARE\UAC\disallowed#fixpolicies.exe
HKLM\SOFTWARE\UAC\disallowed#emergencyutil.exe
HKLM\SOFTWARE\UAC\disallowed#techweb.exe
HKLM\SOFTWARE\UAC\disallowed#GoogleUpdate.exe
HKLM\SOFTWARE\UAC\disallowed#windowsdefender.exe
HKLM\SOFTWARE\UAC\disallowed#spybotsd.exe
HKLM\SOFTWARE\UAC\disallowed#winlognn.exe
HKLM\SOFTWARE\UAC\disallowed#csrssc.exe
HKLM\SOFTWARE\UAC\disallowed#klif.sys
HKLM\SOFTWARE\UAC\disallowed#pctssvc.sys
HKLM\SOFTWARE\UAC\disallowed#pctcore.sys
HKLM\SOFTWARE\UAC\disallowed#mchinjdrv.sys
HKLM\SOFTWARE\UAC\disallowed#szkg.sys
HKLM\SOFTWARE\UAC\disallowed#sasdifsv.sys
HKLM\SOFTWARE\UAC\disallowed#saskutil.sys
HKLM\SOFTWARE\UAC\disallowed#sasenum.sys
HKLM\SOFTWARE\UAC\disallowed#ccHPx86.sys
HKLM\SOFTWARE\UAC\injector
HKLM\SOFTWARE\UAC\injector#*
HKLM\SOFTWARE\UAC\mask
HKLM\SOFTWARE\UAC\mask#2469d708
HKLM\SOFTWARE\UAC\mask#dd118673
HKLM\SOFTWARE\UAC\mask#30910b28
HKLM\SOFTWARE\UAC\mask#49772768
HKLM\SOFTWARE\UAC\mask#6aed4b25
HKLM\SOFTWARE\UAC\versions
HKLM\SOFTWARE\UAC\versions#/banner/crcmds/init

Trojan.Agent/Gen-Cryptor
C:\WINDOWS\SYSTEM32\DRIVERS\GEYEKRNXJOAKBF.SYS


During the quarantine/removal process, I was prompted that the computer would have to reboot in 60 seconds as it had done before, leading me to believe that once again an important system file had been quarantined. The process did manage to finish though before the 60 seconds was up and I rebooted the computer through SAS.

Back in my Main account, I encountered the same errors as before while opening RootRepeal. I managed to successfully run a scan with all checkboxes selected, but only with the Disk Access Level set to the Low setting. On Medium and High I received errors and didn't get any results. Here is the RootRepeal log:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/06 22:39
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB8265000 Size: 138368 File Visible: - Signed: -
Status: -

Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xF798D000 Size: 5152 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF74C0000 Size: 95360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79AB000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB8776000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7697000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7637000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7627000 Size: 36352 File Visible: - Signed: -
Status: -

Name: Dr71WU.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Dr71WU.sys
Address: 0xB815C000 Size: 451456 File Visible: - Signed: -
Status: -

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB807A000 Size: 106496 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79C5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB82E4000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBD000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7A5D000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB7A3B000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF77EF000 Size: 27392 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF77D7000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF7486000 Size: 128896 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A7000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806FD000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB86BE000 Size: 151552 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF76C7000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7807000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF7917000 Size: 9600 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7677000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7687000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB82AF000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB8350000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF77FF000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB87E0000 Size: 14848 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB869B000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF745D000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7787000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB87E8000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB81CB000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF773F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7587000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB87F0000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7415000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7430000 Size: 182912 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7430000 Size: 182912 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF793F000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB7D5C000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB8568000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7557000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7507000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB8287000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF775F000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A5C000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xF74A6000 Size: 105472 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xF74A6000 Size: 105472 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xF7567000 Size: 57856 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xF76B7000 Size: 40960 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB857F000 Size: 1163264 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 18688 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB8557000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF776F000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF791F000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76D7000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76E7000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF76F7000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF777F000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB823A000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79AF000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF76A7000 Size: 57472 File Visible: - Signed: -
Status: -

Name: root1repeal.sys
Image Path: C:\WINDOWS\system32\drivers\root1repeal.sys
Address: 0xB7A86000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7474000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB7B9E000 Size: 333184 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF799B000 Size: 4352 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB82F8000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7757000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7577000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB8433000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79A1000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7747000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7537000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF780F000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB86E3000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF77F7000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xB8398000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wacmoumonitor.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
Address: 0xF7767000 Size: 32768 File Visible: - Signed: -
Status: -

Name: wacommousefilter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
Address: 0xF77C7000 Size: 32768 File Visible: - Signed: -
Status: -

Name: wacomvhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
Address: 0xF7993000 Size: 7168 File Visible: - Signed: -
Status: -

Name: WacomVKHid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
Address: 0xF7995000 Size: 5760 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xB8467000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2252800 File Visible: - Signed: -
Status: -


I'm going to try to continue following your directions now by logging into Windows normally and running MBAM, I'll post back when I have more results!

#11 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 06 August 2009 - 10:12 PM

I used msconfig to set my reboot to Normal settings and restarted the computer. After the Windows loading screen disappeared, where I should have gotten the Welcome screen I was greeted with a black screen. Cursor was visible and worked as usual, though clicks/keypresses did nothing. I restarted back into Safe Mode and used msconfig to set my boot options so that everything loaded except for Startup Files. Restarting again, this time I got back into Windows in Normal mode.

I had issues at first updating MBAM, my version was old enough I suppose to require an automatic restart/reinstall, but when MBAM closed to go through this process, nothing happened, my guess being that once again the virus on my computer was preventing things from running under their default filenames. I downloaded the latest version of MBAM and installed it myself, then updated and ran a quick scan. Here is the log file:


Malwarebytes' Anti-Malware 1.40
Database version: 2573
Windows 5.1.2600 Service Pack 2

8/6/2009 11:05:07 PM
mbam-log-2009-08-06 (23-05-07).txt

Scan type: Quick Scan
Objects scanned: 93264
Time elapsed: 2 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.


As you can see there, that this point I'm being prompted for a reboot. I'm going to do so now, though I know MBAM detected a problem with uacinit.dll before but the issue has obviously persisted. I'm going to restart, I'll wait til I head back from you again. Thanks much-

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:39 PM

Posted 06 August 2009 - 10:35 PM

Hello dustinshadoe and welcome back. Your version of RootRepeal is now outdated. Could you please re-download RootRepeal from HERE, HERE, or HERE and run the scan again? make sure you have all the boxes checked and please post the entire log. It looks like your previous RootRepeal log was cut off after the "Drivers" section. If the log is too big to fit into one post. . . . you may split it up between multiple posts.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 07 August 2009 - 12:24 AM

Hi Blade, thanks for the response,

I downloaded the RootRepeal ZIP file in the first link you posted and extracted it to my desktop. I apologize for my previous post of the scan, I realized I was only scanning for Drivers. I ended up going through each tab and performing a scan with the Disk Access Level set to High. It seems that I either get errors or my computer slowly freezes up when I attempt to scan Files, Hidden Services, or Shadow SSDT. I've tried scanning in Safe Mode and setting the Disk Access Level to lowest (as most of the errors I'm getting suggest changing that setting) but I still have problems. Here are the scan reports for the tabs that did work:


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/07 00:31
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB7F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB3EBA000 Size: 138368 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xB81F8000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ANIO.SYS
Image Path: C:\WINDOWS\system32\ANIO.SYS
Address: 0xB8448000 Size: 28128 File Visible: - Signed: -
Status: -

Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xB85CC000 Size: 5152 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB7F31000 Size: 95360 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xB872F000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xB85DE000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xB84B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB8308000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB8238000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xB80E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xB80D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB7167000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB3CF8000 Size: 106496 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xB85F8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB8594000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBD000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xB87A4000 Size: 4096 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xB83B0000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB82C8000 Size: 34944 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xB8400000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xB7EF7000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xB85DC000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB7F49000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB710B000 Size: 151552 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xB8268000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xB83D0000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xB8558000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB2F98000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB8208000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB8228000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB3DDA000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB3F5C000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xB80A8000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xB83B8000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB7DC5000 Size: 14848 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xB85A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB70E8000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB7ECE000 Size: 92032 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xB85E0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xB83F0000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xB7DC9000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xB80B8000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB3723000 Size: 179584 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB3DFB000 Size: 453632 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xB8418000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB71C7000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB7DCD000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB7DF9000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB7E14000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB85A0000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB398B000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB67F2000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB71A7000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xB82A8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB3EDC000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xB8420000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB7E41000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xB86A7000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBD012000 Size: 5898240 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB681D000 Size: 8055584 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xB7F17000 Size: 105472 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xB7187000 Size: 57856 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xB8258000 Size: 40960 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB6FCC000 Size: 1163264 File Visible: - Signed: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB7153000 Size: 80128 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xB8330000 Size: 18688 File Visible: - Signed: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xB8630000 Size: 6784 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB7F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xB8670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xB8328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PdiPorts.sys
Image Path: C:\WINDOWS\System32\Drivers\PdiPorts.sys
Address: 0xB7DD1000 Size: 8960 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB3FF4000 Size: 139264 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB67E1000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xB83E0000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB8560000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB71F7000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB71E7000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB71D7000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xB83E8000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB3E6A000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xB85E2000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB8248000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal2.sys
Address: 0xB31C9000 Size: 49152 File Visible: No Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xB4016000 Size: 4636672 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xB8440000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xB3E95000 Size: 151552 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xB8598000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xB8218000 Size: 64896 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB7EE5000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB34B6000 Size: 333184 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xB85D2000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB81E8000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB3F04000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xB83D8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB71B7000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xB3349000 Size: 176128 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB67AD000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xB85D8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xB83C8000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xB7197000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xB83C0000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB7130000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xB8410000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB6809000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xB80C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wacmoumonitor.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys
Address: 0xB8438000 Size: 32768 File Visible: - Signed: -
Status: -

Name: wacommousefilter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
Address: 0xB83F8000 Size: 32768 File Visible: - Signed: -
Status: -

Name: wacomvhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
Address: 0xB85CE000 Size: 7168 File Visible: - Signed: -
Status: -

Name: WacomVKHid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
Address: 0xB85D0000 Size: 5760 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xB82D8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xB8450000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB3696000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xB85AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2142208 File Visible: - Signed: -
Status: -



Processes
-------------------

Path: System
PID: 4 Status: -

Path: C:\WINDOWS\system32\Pen_Tablet.exe
PID: 128 Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 300 Status: -

Path: C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PID: 396 Status: -

Path: C:\WINDOWS\explorer.exe
PID: 492 Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 572 Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 628 Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 652 Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 696 Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 708 Status: -

Path: C:\Documents and Settings\Main\Desktop\RootRepeal2.exe
PID: 856 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 876 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 972 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1016 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1112 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1160 Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 1332 Status: -

Path: C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
PID: 1476 Status: -

Path: C:\Program Files\Bonjour\mDNSResponder.exe
PID: 1488 Status: -

Path: C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
PID: 1504 Status: -

Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 1668 Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1760 Status: -

Path: C:\Program Files\Smith Micro\StuffIt 2009\ArcNameService.exe
PID: 1832 Status: -

Path: C:\WINDOWS\system32\Pen_Tablet.exe
PID: 1876 Status: -

Path: C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
PID: 2044 Status: -


SSDT
-------------------

#: 000 Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001 Function Name: NtAccessCheck
Status: Not hooked

#: 002 Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003 Function Name: NtAccessCheckByType
Status: Not hooked

#: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005 Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008 Function Name: NtAddAtom
Status: Not hooked

#: 009 Function Name: NtAddBootEntry
Status: Not hooked

#: 010 Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012 Function Name: NtAlertResumeThread
Status: Not hooked

#: 013 Function Name: NtAlertThread
Status: Not hooked

#: 014 Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015 Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016 Function Name: NtAllocateUuids
Status: Not hooked

#: 017 Function Name: NtAllocateVirtualMemory
Status: Not hooked

#: 018 Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020 Function Name: NtCallbackReturn
Status: Not hooked

#: 021 Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022 Function Name: NtCancelIoFile
Status: Not hooked

#: 023 Function Name: NtCancelTimer
Status: Not hooked

#: 024 Function Name: NtClearEvent
Status: Not hooked

#: 025 Function Name: NtClose
Status: Not hooked

#: 026 Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027 Function Name: NtCompactKeys
Status: Not hooked

#: 028 Function Name: NtCompareTokens
Status: Not hooked

#: 029 Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030 Function Name: NtCompressKey
Status: Not hooked

#: 031 Function Name: NtConnectPort
Status: Not hooked

#: 032 Function Name: NtContinue
Status: Not hooked

#: 033 Function Name: NtCreateDebugObject
Status: Not hooked

#: 034 Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035 Function Name: NtCreateEvent
Status: Not hooked

#: 036 Function Name: NtCreateEventPair
Status: Not hooked

#: 037 Function Name: NtCreateFile
Status: Not hooked

#: 038 Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039 Function Name: NtCreateJobObject
Status: Not hooked

#: 040 Function Name: NtCreateJobSet
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 042 Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043 Function Name: NtCreateMutant
Status: Not hooked

#: 044 Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045 Function Name: NtCreatePagingFile
Status: Not hooked

#: 046 Function Name: NtCreatePort
Status: Not hooked

#: 047 Function Name: NtCreateProcess
Status: Not hooked

#: 048 Function Name: NtCreateProcessEx
Status: Not hooked

#: 049 Function Name: NtCreateProfile
Status: Not hooked

#: 050 Function Name: NtCreateSection
Status: Not hooked

#: 051 Function Name: NtCreateSemaphore
Status: Not hooked

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053 Function Name: NtCreateThread
Status: Not hooked

#: 054 Function Name: NtCreateTimer
Status: Not hooked

#: 055 Function Name: NtCreateToken
Status: Not hooked

#: 056 Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057 Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058 Function Name: NtDebugContinue
Status: Not hooked

#: 059 Function Name: NtDelayExecution
Status: Not hooked

#: 060 Function Name: NtDeleteAtom
Status: Not hooked

#: 061 Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062 Function Name: NtDeleteFile
Status: Not hooked

#: 063 Function Name: NtDeleteKey
Status: Not hooked

#: 064 Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065 Function Name: NtDeleteValueKey
Status: Not hooked

#: 066 Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067 Function Name: NtDisplayString
Status: Not hooked

#: 068 Function Name: NtDuplicateObject
Status: Not hooked

#: 069 Function Name: NtDuplicateToken
Status: Not hooked

#: 070 Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071 Function Name: NtEnumerateKey
Status: Not hooked

#: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073 Function Name: NtEnumerateValueKey
Status: Not hooked

#: 074 Function Name: NtExtendSection
Status: Not hooked

#: 075 Function Name: NtFilterToken
Status: Not hooked

#: 076 Function Name: NtFindAtom
Status: Not hooked

#: 077 Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078 Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079 Function Name: NtFlushKey
Status: Not hooked

#: 080 Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081 Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082 Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083 Function Name: NtFreeVirtualMemory
Status: Not hooked

#: 084 Function Name: NtFsControlFile
Status: Not hooked

#: 085 Function Name: NtGetContextThread
Status: Not hooked

#: 086 Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087 Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088 Function Name: NtGetWriteWatch
Status: Not hooked

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Not hooked

#: 090 Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091 Function Name: NtImpersonateThread
Status: Not hooked

#: 092 Function Name: NtInitializeRegistry
Status: Not hooked

#: 093 Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094 Function Name: NtIsProcessInJob
Status: Not hooked

#: 095 Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096 Function Name: NtListenPort
Status: Not hooked

#: 097 Function Name: NtLoadDriver
Status: Not hooked

#: 098 Function Name: NtLoadKey
Status: Not hooked

#: 099 Function Name: NtLoadKey2
Status: Not hooked

#: 100 Function Name: NtLockFile
Status: Not hooked

#: 101 Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102 Function Name: NtLockRegistryKey
Status: Not hooked

#: 103 Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104 Function Name: NtMakePermanentObject
Status: Not hooked

#: 105 Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106 Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107 Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108 Function Name: NtMapViewOfSection
Status: Not hooked

#: 109 Function Name: NtModifyBootEntry
Status: Not hooked

#: 110 Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111 Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112 Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113 Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114 Function Name: NtOpenEvent
Status: Not hooked

#: 115 Function Name: NtOpenEventPair
Status: Not hooked

#: 116 Function Name: NtOpenFile
Status: Not hooked

#: 117 Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118 Function Name: NtOpenJobObject
Status: Not hooked

#: 119 Function Name: NtOpenKey
Status: Not hooked

#: 120 Function Name: NtOpenMutant
Status: Not hooked

#: 121 Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 123 Function Name: NtOpenProcessToken
Status: Not hooked

#: 124 Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125 Function Name: NtOpenSection
Status: Not hooked

#: 126 Function Name: NtOpenSemaphore
Status: Not hooked

#: 127 Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 129 Function Name: NtOpenThreadToken
Status: Not hooked

#: 130 Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131 Function Name: NtOpenTimer
Status: Not hooked

#: 132 Function Name: NtPlugPlayControl
Status: Not hooked

#: 133 Function Name: NtPowerInformation
Status: Not hooked

#: 134 Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135 Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136 Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137 Function Name: NtProtectVirtualMemory
Status: Not hooked

#: 138 Function Name: NtPulseEvent
Status: Not hooked

#: 139 Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140 Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141 Function Name: NtQueryBootOptions
Status: Not hooked

#: 142 Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143 Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144 Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145 Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146 Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147 Function Name: NtQueryEaFile
Status: Not hooked

#: 148 Function Name: NtQueryEvent
Status: Not hooked

#: 149 Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150 Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151 Function Name: NtQueryInformationFile
Status: Not hooked

#: 152 Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153 Function Name: NtQueryInformationPort
Status: Not hooked

#: 154 Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155 Function Name: NtQueryInformationThread
Status: Not hooked

#: 156 Function Name: NtQueryInformationToken
Status: Not hooked

#: 157 Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158 Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159 Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160 Function Name: NtQueryKey
Status: Not hooked

#: 161 Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162 Function Name: NtQueryMutant
Status: Not hooked

#: 163 Function Name: NtQueryObject
Status: Not hooked

#: 164 Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165 Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166 Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167 Function Name: NtQuerySection
Status: Not hooked

#: 168 Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169 Function Name: NtQuerySemaphore
Status: Not hooked

#: 170 Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171 Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172 Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173 Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174 Function Name: NtQuerySystemTime
Status: Not hooked

#: 175 Function Name: NtQueryTimer
Status: Not hooked

#: 176 Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177 Function Name: NtQueryValueKey
Status: Not hooked

#: 178 Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179 Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180 Function Name: NtQueueApcThread
Status: Not hooked

#: 181 Function Name: NtRaiseException
Status: Not hooked

#: 182 Function Name: NtRaiseHardError
Status: Not hooked

#: 183 Function Name: NtReadFile
Status: Not hooked

#: 184 Function Name: NtReadFileScatter
Status: Not hooked

#: 185 Function Name: NtReadRequestData
Status: Not hooked

#: 186 Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187 Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188 Function Name: NtReleaseMutant
Status: Not hooked

#: 189 Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190 Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191 Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192 Function Name: NtRenameKey
Status: Not hooked

#: 193 Function Name: NtReplaceKey
Status: Not hooked

#: 194 Function Name: NtReplyPort
Status: Not hooked

#: 195 Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196 Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197 Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198 Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199 Function Name: NtRequestPort
Status: Not hooked

#: 200 Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201 Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202 Function Name: NtResetEvent
Status: Not hooked

#: 203 Function Name: NtResetWriteWatch
Status: Not hooked

#: 204 Function Name: NtRestoreKey
Status: Not hooked

#: 205 Function Name: NtResumeProcess
Status: Not hooked

#: 206 Function Name: NtResumeThread
Status: Not hooked

#: 207 Function Name: NtSaveKey
Status: Not hooked

#: 208 Function Name: NtSaveKeyEx
Status: Not hooked

#: 209 Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210 Function Name: NtSecureConnectPort
Status: Not hooked

#: 211 Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212 Function Name: NtSetBootOptions
Status: Not hooked

#: 213 Function Name: NtSetContextThread
Status: Not hooked

#: 214 Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215 Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216 Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217 Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218 Function Name: NtSetEaFile
Status: Not hooked

#: 219 Function Name: NtSetEvent
Status: Not hooked

#: 220 Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221 Function Name: NtSetHighEventPair
Status: Not hooked

#: 222 Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223 Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224 Function Name: NtSetInformationFile
Status: Not hooked

#: 225 Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226 Function Name: NtSetInformationKey
Status: Not hooked

#: 227 Function Name: NtSetInformationObject
Status: Not hooked

#: 228 Function Name: NtSetInformationProcess
Status: Not hooked

#: 229 Function Name: NtSetInformationThread
Status: Not hooked

#: 230 Function Name: NtSetInformationToken
Status: Not hooked

#: 231 Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232 Function Name: NtSetIoCompletion
Status: Not hooked

#: 233 Function Name: NtSetLdtEntries
Status: Not hooked

#: 234 Function Name: NtSetLowEventPair
Status: Not hooked

#: 235 Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236 Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237 Function Name: NtSetSecurityObject
Status: Not hooked

#: 238 Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239 Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240 Function Name: NtSetSystemInformation
Status: Not hooked

#: 241 Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242 Function Name: NtSetSystemTime
Status: Not hooked

#: 243 Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244 Function Name: NtSetTimer
Status: Not hooked

#: 245 Function Name: NtSetTimerResolution
Status: Not hooked

#: 246 Function Name: NtSetUuidSeed
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 248 Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249 Function Name: NtShutdownSystem
Status: Not hooked

#: 250 Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251 Function Name: NtStartProfile
Status: Not hooked

#: 252 Function Name: NtStopProfile
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 255 Function Name: NtSystemDebugControl
Status: Not hooked

#: 256 Function Name: NtTerminateJobObject
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

#: 259 Function Name: NtTestAlert
Status: Not hooked

#: 260 Function Name: NtTraceEvent
Status: Not hooked

#: 261 Function Name: NtTranslateFilePath
Status: Not hooked

#: 262 Function Name: NtUnloadDriver
Status: Not hooked

#: 263 Function Name: NtUnloadKey
Status: Not hooked

#: 264 Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265 Function Name: NtUnlockFile
Status: Not hooked

#: 266 Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267 Function Name: NtUnmapViewOfSection
Status: Not hooked

#: 268 Function Name: NtVdmControl
Status: Not hooked

#: 269 Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270 Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271 Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272 Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273 Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274 Function Name: NtWriteFile
Status: Not hooked

#: 275 Function Name: NtWriteFileGather
Status: Not hooked

#: 276 Function Name: NtWriteRequestData
Status: Not hooked

#: 277 Function Name: NtWriteVirtualMemory
Status: Not hooked

#: 278 Function Name: NtYieldExecution
Status: Not hooked

#: 279 Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280 Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281 Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282 Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283 Function Name: NtQueryPortInformationProcess
Status: Not hooked


Stealth Objects
-------------------

Object: Hidden Module [Name: UACptxyycgkjwqlcnloe.dll]
Process: svchost.exe (PID: 876) Address: 0x10000000 Size: 73728



I'm wondering at this point if I could successfully complete a full RootRepeal scan without my computer freezes or throwing errors, if that might uncover some clues? I'll search for the errors I got on Google, but I won't attempt anything without posting here first.

#14 dustinshadoe

dustinshadoe
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 10 August 2009 - 04:18 PM

Thought I'd post back, I did find a thread on Major Geeks that described a problem with RootRepeal like mine, but no solution there. Any more ideas at this point?

#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:11:39 PM

Posted 10 August 2009 - 05:00 PM

The infection is blocking RootRepeal from running correctly. Let's try a different ARK tool.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
~Blade


In your next reply, please include the following:
sarscan.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users