Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


spks.sys rootkit infection, Proper Logs from DDS

  • Please log in to reply
5 replies to this topic

#1 Alecjw


  • Members
  • 9 posts
  • Location:kansas
  • Local time:01:20 PM

Posted 22 July 2009 - 11:30 AM

Hello and thank you again, if there is other information i need to post please just ask!

okay so i had a virus on my computer that was mild, just clogging my computer with crap files and deleting old ones.
Instead of removing it i just decided it was time for a fresh slate.
So i pulled out an old program i created in high school, appropriately named NUKE MURDER KILL, which completely wipes your hard drive and then fills it up with crap data then formats(7 times) so all data is gone forever.
i re-install my fancy Windows XP PRO 2002 SP3 edition and few othe need programs.
one week later during my normal scan AVG finds:

"C:\WINDOWS\System32\Drivers\adptv3ba.SYS";"Hidden driver";"Object is hidden"

uhhh..... i have never dealt with a rootkit so i do not know how to proceed with removing it and all attempts i have made fail because the offending file "adptv3ba.SYS" returns after reboot as another 8 letter .sys program. i do know that it's attached to spks.sys but i can't gain access to it to remove.


Here is what the DDS output;

DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 11:18:41.39 on Wed 07/22/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.57 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\AAA\DAEMON Tools Lite\daemon.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\dds.scr
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe
uRun: [DAEMON Tools Lite] "c:\program files\aaa\daemon tools lite\daemon.exe" -autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {609D1756-47B1-49E3-AA35-F7CF842CE3E6} =,
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\pa8r6plq.default\
FF - prefs.js: browser.search.selectedEngine -
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

c:\program files\firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-7-18 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-18 335752]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-18 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-18 108552]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-18 298776]
RUnknown phooks;phooks; [x]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [2009-7-21 30136]

=============== Created Last 30 ================

2009-07-21 00:40 30,136 a------- c:\windows\system32\drivers\rspSanity32.sys
2009-07-21 00:40 <DIR> --d----- c:\program files\SanityCheck
2009-07-20 18:38 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-20 11:24 <DIR> --d----- C:\GAMES
2009-07-20 11:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-20 11:22 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-20 11:18 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-20 11:18 <DIR> --d----- c:\docume~1\admini~1\applic~1\DAEMON Tools Lite
2009-07-19 22:01 <DIR> --d----- c:\program files\PeerGuardian2
2009-07-19 21:45 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL
2009-07-19 21:33 361,600 a------- c:\windows\system32\drivers\TCPIP_OG
2009-07-18 23:55 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-07-18 23:55 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-18 23:55 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-18 23:55 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-18 23:55 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-18 23:55 <DIR> --d----- c:\program files\AVG
2009-07-18 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-07-18 23:09 <DIR> --d----- c:\windows\vbSkinner
2009-07-18 21:20 118 a------- c:\windows\system32\MRT.INI
2009-07-18 20:55 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-07-18 20:55 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-07-18 20:54 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-07-18 20:54 2,189,056 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-07-18 20:54 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-07-18 20:53 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-07-18 20:50 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-07-18 20:49 <DIR> --d----- c:\windows\system32\PreInstall
2009-07-18 20:49 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-07-18 20:49 <DIR> --d-h--- c:\windows\$hf_mig$
2009-07-18 20:41 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-07-18 18:50 <DIR> --d----- c:\windows\system32\appmgmt
2009-07-18 15:42 <DIR> --d----- c:\docume~1\admini~1\applic~1\uTorrent
2009-07-18 15:34 <DIR> --d----- c:\program files\AAA
2009-07-18 14:10 6,272 ac------ c:\windows\system32\dllcache\splitter.sys
2009-07-18 14:10 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-07-18 14:09 <DIR> --d----- c:\program files\Analog Devices
2009-07-17 21:16 163,840 a------- c:\windows\system32\igfxres.dll
2009-07-17 21:15 <DIR> --d----- c:\program files\Intel Corporation
2009-07-17 21:02 <DIR> --d----- c:\program files\Firefox
2009-07-17 20:58 <DIR> --ds---- c:\documents and settings\administrator\UserData
2009-07-17 20:57 139,776 ac------ c:\windows\system32\dllcache\e100b325.sys
2009-07-17 20:57 139,776 a------- c:\windows\system32\drivers\e100b325.sys
2009-07-17 20:57 53,248 a------- c:\windows\system32\Prounstl.exe
2009-07-17 20:57 23,040 a------- c:\windows\system32\IntelNic.dll
2009-07-17 20:57 2,983 a------- c:\windows\system32\net82557.din
2009-07-17 20:46 41,852 a------- c:\windows\system32\UpdDrv2K.exe
2009-07-17 20:46 <DIR> --d----- c:\windows\OPTIONS
2009-07-17 20:46 <DIR> --d----- c:\program files\3Com
2009-07-17 20:46 <DIR> --d----- C:\Dell
2009-07-17 20:45 446,464 a----r-- c:\windows\system32\hhactivex.dll
2009-07-17 20:45 176,128 a------- c:\windows\system32\RcdScan.dll
2009-07-17 20:44 645,616 a------- c:\windows\system32\MSCOMCT2.OCX
2009-07-17 20:44 414,944 a------- c:\windows\system32\COMCT332.OCX
2009-07-17 20:44 328,480 a------- c:\windows\system32\ssa3d30.ocx
2009-07-17 20:44 171,967 a------- c:\windows\system32\Odbcjet.hlp
2009-07-17 20:44 7,348 a------- c:\windows\system32\Odbcjet.cnt
2009-07-17 20:44 89,360 a------- c:\windows\system32\VB5DB.DLL
2009-07-17 20:44 26,368 ac------ c:\windows\system32\dllcache\usbstor.sys
2009-07-17 20:44 13,632 -------- c:\windows\system32\drivers\omci.sys
2009-07-17 20:40 <DIR> --d----- c:\documents and settings\Administrator
2009-07-17 20:39 <DIR> --ds---- c:\windows\system32\Microsoft
2009-07-17 20:38 8,192 a------- c:\windows\REGLOCS.OLD
2009-07-17 20:35 38,912 ac------ c:\windows\system32\dllcache\EXCH_ntfsdrv.dll
2009-07-17 20:34 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-07-17 20:33 19,456 ac------ c:\windows\system32\dllcache\agt0404.dll
2009-07-17 20:32 2,577 a------- c:\windows\system32\CONFIG.NT
2009-07-17 20:32 0 a------- c:\windows\control.ini
2009-07-17 20:32 23,392 a------- c:\windows\system32\nscompat.tlb
2009-07-17 20:32 16,832 a------- c:\windows\system32\amcompat.tlb
2009-07-17 20:32 316,640 a------- c:\windows\WMSysPr9.prx
2009-07-17 20:31 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-07-17 20:31 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-07-17 20:31 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-07-17 20:31 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-07-17 20:31 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-07-17 20:30 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-07-17 20:30 <DIR> --d----- c:\program files\common files\MSSoap
2009-07-17 20:27 <DIR> --d----- c:\program files\Online Services
2009-07-17 20:27 <DIR> --d----- c:\program files\Messenger
2009-07-17 20:27 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-07-17 20:26 <DIR> --d----- c:\program files\Windows NT
2009-07-17 13:17 <DIR> --d----- c:\program files\common files\ODBC
2009-07-17 13:17 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-07-17 13:17 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-07-20 20:44 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-19 21:45 361,600 a------- c:\windows\system32\drivers\TCPIP.SYS
2009-07-17 20:27 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll

============= FINISH: 11:19:12.98 ===============

Attached Files

Edited by Alecjw, 22 July 2009 - 03:30 PM.

BC AdBot (Login to Remove)


#2 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:01:20 PM

Posted 22 July 2009 - 12:00 PM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am Posted Image and I am here to help you!

I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be "four eyes and two brains" but responses may be somewhat delayed so please be patient!!!!

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!


Let's have a deeper look at your computer.
Please do this.....

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Download and Run Scan with RootRepeal

* Download and save it to your desktop:
* Extract RootRepeal.exe from the zip archive.
* Open RootRepeal.exe on your desktop.

If you are using Windows Vista, right click RootRepeal.exe and select Run As Administrator.

* Click the Report tab.
* Click the Scan button.
* Check all six boxes.
* Push Ok
* Check the box for your main system drive (Usually C:), and press Ok.
* Allow RootRepeal to run a scan of your system. This may take some time.
* Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
*Include this report in your next reply


Please download MBR.exe from here ->

Save the file to your desktop and double click on it.

A new text file will appear on your desktop, created by the tool. Copy and paste that file here, please.

With your next post please provide:

* OTL.txt
* OTL Extra.txt
* RootRepeal.txt
* MBR scan

Again please let me remind you to make no changes or run any programs on this computer unless I direct you to do so. My proposed fix will be based on the current condition of your computer.

I will review your logs and post instructions forthcoming.
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


#3 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:01:20 PM

Posted 22 July 2009 - 02:34 PM


I was thinking about your dilemma. In that you formatted and reinstalled the only possibilities are a new infection, an infection in Ram, or a false positive.

Looking at your logs so far they don't reveal anything except...Daemon Tools!!

Your using Daemon Tools! It uses rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software. It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers). Files are renamed on every reboot. I have read that the name changing routine may be due to the fact that Daemon Tools is sometimes used to circumvent anti-piracy measures in games so the player does not have to keep swapping out CDs. The name change may be an attempt to stop the anti-piracy systems detecting its presence.

Your welcome to perform the scan's but first I would uninstall Daemon Tools and see if the warning goes away. I suspect a false positive.

Kind regards,

Edited by thcbytes, 22 July 2009 - 02:49 PM.

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


#4 Alecjw

  • Topic Starter

  • Members
  • 9 posts
  • Location:kansas
  • Local time:01:20 PM

Posted 22 July 2009 - 03:29 PM

thank you very much! i can't believe it was so simple T.T but eh i know 0's & 1's not rootkits hehe

Thank you again if i could pass this doobie to ya i would :thumbup2: :)

#5 thcbytes


  • Malware Response Team
  • 14,790 posts
  • Gender:Male
  • Local time:01:20 PM

Posted 22 July 2009 - 04:47 PM

Your welcome. :thumbup2:

But wait......
I am only in training so I need to clear this with my expert coach. At the very least I will follow with some prevention strategies. Please stay tuned and I will post back after I have reviewed your thread with my coach.

Kind regards,
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!


#6 Carolyn


    Bleepin' kitten

  • Members
  • 2,131 posts
  • Local time:01:20 PM

Posted 26 July 2009 - 09:30 AM

Hello and Welcome to the forums!

My name is Carolyn and I'll be working with you to resolve your computer problems.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please download gmer.zip from Gmer and save it to your desktop.
  • Right click on gmer.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • Click on the Browse button. Click on Desktop. Then click OK.
  • Click Next. It will start extracting.
  • Once done, check (tick) the Show extracted files box and click Finish.
  • Double click on gmer.exe to run it.
  • Select the Rootkit tab.
  • On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click on the Scan button.
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  • Open Notepad or a similar text editor.
  • Paste the clipboard contents into the text editor.
  • Save the Gmer scan log and post it in your next reply.
  • Close Gmer.
  • Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  • In Command Prompt, type in net stop gmer. Press Enter.
  • Type in exit to close Command Prompt.
Note: Do not run any programs while Gmer is running.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please posts the results from GMER along with the two logs from OTL in your next reply.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users