Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm infected Please help


  • Please log in to reply
51 replies to this topic

#1 glicky22

glicky22

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 27 July 2009 - 08:41 PM

Internet explorer keeps redirecting to other sites and telling me I'm infected. I downloaded Trojan remover which did a temporary clean. Then Malwarebytes and that won't open and or download again. I tried spybot which pulled up all the differnt trojans on my pc, but yet won't remove them. Nothing seems to be working. I have windows xp

BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 27 July 2009 - 08:46 PM

Rename this file:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

to this:

winlogon.exe

Then double-click the renamed file and see if it will run.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 27 July 2009 - 08:50 PM

No luck it starts to load then locks up while extracting files.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 27 July 2009 - 08:54 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 27 July 2009 - 09:27 PM

ok this will not download for me. It keeps taking me in circles

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 27 July 2009 - 09:57 PM

Do you have access to another computer that you can download it on.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 28 July 2009 - 04:18 AM

Finally was able to download Drweb. Here is the log. What should I do next?
iexplorer.exe.vir;C:\Program Files\win;Trojan.Inject.2015;Deleted.;
A0181189.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP437;Trojan.Inject.2015;Deleted.;
A0187904.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP452;Trojan.Inject.2015;Deleted.;
A0196353.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP473;Trojan.Inject.2015;Deleted.;
A0196354.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP474;Trojan.Inject.2015;Deleted.;
A0201660.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP484;Trojan.Inject.2015;Deleted.;
A0211400.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP507;Trojan.Inject.2015;Deleted.;
A0212427.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0212582.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0212597.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0213846.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0213988.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0214149.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0215449.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
A0215788.exe;C:\System Volume Information\_restore{470F10A4-913F-4843-A9DF-63AF1174B7EB}\RP509;Trojan.Inject.2015;Deleted.;
net.net;C:\WINXP\system32;Trojan.Click.25308;Deleted.;
UACxgmltbyorg.dll;C:\WINXP\system32;BackDoor.Tdss.49;Deleted.;

#8 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 28 July 2009 - 08:27 AM

Well I was hoping after that 7 hour scan that something would have been better with this. I went to my internet explorer to do a search and once again it took me all over the place . It brought up a my computer online scan stating there are trojans, email worms, and a hacka track. I kept getting an dialog box to download some anti virus software and everything locked up. So once again pc had to be shut down by the power supply.
Please help!!!!

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 28 July 2009 - 04:26 PM

Are you now able to run the Malwarebytes scan?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 28 July 2009 - 06:02 PM

NO I haven't even been able to get on here all day. Must of had a bad link here. Any how I can't get malwarebytes to open . Any other suggestions? I am still badly infected.

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 28 July 2009 - 06:06 PM

Please download RootRepeal Rootkit Detector and save it to your Desktop.

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.
* Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
* Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the Files tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 28 July 2009 - 06:19 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/28 18:18
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9F79000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINXP\System32\drivers\afd.sys
Address: 0xB6A42000 Size: 138496 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F31000 Size: 96512 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINXP\system32\DRIVERS\audstub.sys
Address: 0xBA794000 Size: 3072 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINXP\System32\Drivers\Beep.SYS
Address: 0xBA60E000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINXP\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINXP\System32\Drivers\Cdfs.SYS
Address: 0xBA318000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINXP\system32\DRIVERS\cdrom.sys
Address: 0xBA2F8000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINXP\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINXP\system32\drivers\drmk.sys
Address: 0xBA238000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINXP\System32\Drivers\dump_atapi.sys
Address: 0xB6887000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINXP\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA632000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINXP\System32\drivers\Dxapi.sys
Address: 0xB6D14000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINXP\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINXP\System32\drivers\dxgthk.sys
Address: 0xBA6E9000 Size: 4096 File Visible: - Signed: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xB68E5000 Size: 393216 File Visible: - Signed: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xB68C7000 Size: 122880 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINXP\System32\Drivers\Fips.SYS
Address: 0xBA288000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9F11000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINXP\System32\Drivers\Fs_Rec.SYS
Address: 0xBA606000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9F49000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINXP\System32\Drivers\GEARAspiWDM.sys
Address: 0xBA420000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINXP\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINXP\system32\DRIVERS\HDAudBus.sys
Address: 0xB96D0000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINXP\System32\Drivers\HTTP.sys
Address: 0xB588C000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINXP\system32\DRIVERS\i8042prt.sys
Address: 0xBA2D8000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINXP\system32\DRIVERS\imapi.sys
Address: 0xBA2E8000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINXP\system32\DRIVERS\intelppm.sys
Address: 0xBA2C8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINXP\system32\DRIVERS\ipnat.sys
Address: 0xB6AC7000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINXP\system32\DRIVERS\ipsec.sys
Address: 0xB6B46000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINXP\system32\DRIVERS\kbdclass.sys
Address: 0xBA410000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINXP\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINXP\system32\drivers\kmixer.sys
Address: 0xB49C8000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINXP\system32\DRIVERS\ks.sys
Address: 0xB95DB000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9EE8000 Size: 92288 File Visible: - Signed: -
Status: -

Name: lmimirr.sys
Image Path: C:\WINXP\system32\DRIVERS\lmimirr.sys
Address: 0xBA793000 Size: 3200 File Visible: - Signed: -
Status: -

Name: LMIRfsDriver.sys
Image Path: C:\WINXP\system32\drivers\LMIRfsDriver.sys
Address: 0xB6087000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ltmdmnt.sys
Image Path: C:\WINXP\system32\DRIVERS\ltmdmnt.sys
Address: 0xB95FE000 Size: 606656 File Visible: - Signed: -
Status: -

Name: LVPr2Mon.sys
Image Path: C:\WINXP\system32\DRIVERS\LVPr2Mon.sys
Address: 0xBA370000 Size: 18944 File Visible: - Signed: -
Status: -

Name: LVUSBSta.sys
Image Path: C:\WINXP\system32\drivers\LVUSBSta.sys
Address: 0xBA2A8000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINXP\system32\DRIVERS\mdmxsdk.sys
Address: 0xB5EC0000 Size: 11840 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINXP\System32\Drivers\mnmdd.SYS
Address: 0xBA610000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINXP\System32\Drivers\Modem.SYS
Address: 0xBA408000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINXP\system32\DRIVERS\mouclass.sys
Address: 0xBA418000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINXP\system32\DRIVERS\mrxdav.sys
Address: 0xB5E6F000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINXP\system32\DRIVERS\mrxsmb.sys
Address: 0xB6945000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINXP\System32\Drivers\Msfs.SYS
Address: 0xBA4B0000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINXP\system32\DRIVERS\msgpc.sys
Address: 0xBA1B8000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINXP\system32\DRIVERS\mssmbios.sys
Address: 0xBA580000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9E14000 Size: 105344 File Visible: - Signed: -
Status: -

Name: naveng.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080130.004\naveng.sys
Address: 0xB6B8E000 Size: 75552 File Visible: - Signed: -
Status: -

Name: navex15.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20080130.004\navex15.sys
Address: 0xB6BA1000 Size: 888608 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9E2E000 Size: 182656 File Visible: - Signed: -
Status: -

Name: NDISRD.SYS
Image Path: C:\WINXP\System32\Drivers\NDISRD.SYS
Address: 0xBA360000 Size: 24576 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINXP\system32\DRIVERS\ndistapi.sys
Address: 0xBA574000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINXP\system32\DRIVERS\ndisuio.sys
Address: 0xB64A7000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINXP\system32\DRIVERS\ndiswan.sys
Address: 0xB955D000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINXP\System32\Drivers\NDProxy.SYS
Address: 0xBA1D8000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINXP\system32\DRIVERS\netbios.sys
Address: 0xBA268000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINXP\system32\DRIVERS\netbt.sys
Address: 0xB6A9F000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINXP\System32\Drivers\Npfs.SYS
Address: 0xBA340000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9E5B000 Size: 574976 File Visible: - Signed: -
Status: -

Name: NTIDrvr.sys
Image Path: C:\WINXP\system32\DRIVERS\NTIDrvr.sys
Address: 0xBA5D0000 Size: 6912 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINXP\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINXP\System32\Drivers\Null.SYS
Address: 0xBA7B6000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINXP\System32\nv4_disp.dll
Address: 0xBF012000 Size: 5885952 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINXP\system32\DRIVERS\nv4_mini.sys
Address: 0xB970C000 Size: 7077344 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9F68000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINXP\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINXP\system32\drivers\portcls.sys
Address: 0xB6D58000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINXP\system32\DRIVERS\psched.sys
Address: 0xB954C000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINXP\system32\DRIVERS\ptilink.sys
Address: 0xBA438000 Size: 17792 File Visible: - Signed: -
Status: -

Name: RaInfo.sys
Image Path: C:\Program Files\LogMeIn\x86\RaInfo.sys
Address: 0xBA5BC000 Size: 6144 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINXP\system32\DRIVERS\rasacd.sys
Address: 0xB6D50000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINXP\system32\DRIVERS\rasl2tp.sys
Address: 0xBA188000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINXP\system32\DRIVERS\raspppoe.sys
Address: 0xBA198000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINXP\system32\DRIVERS\raspptp.sys
Address: 0xBA1A8000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINXP\system32\DRIVERS\raspti.sys
Address: 0xBA440000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINXP\system32\DRIVERS\rdbss.sys
Address: 0xB69B5000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINXP\System32\DRIVERS\RDPCDD.sys
Address: 0xBA61A000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINXP\system32\DRIVERS\redbook.sys
Address: 0xBA308000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINXP\system32\drivers\rootrepeal.sys
Address: 0xB4B06000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtenicxp.sys
Image Path: C:\WINXP\system32\DRIVERS\Rtenicxp.sys
Address: 0xB96B7000 Size: 98944 File Visible: - Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINXP\system32\drivers\RtkHDAud.sys
Address: 0xB6D7C000 Size: 4755456 File Visible: - Signed: -
Status: -

Name: savrt.sys
Image Path: C:\Program Files\Symantec AntiVirus\savrt.sys
Address: 0xB6CB0000 Size: 360448 File Visible: - Signed: -
Status: -

Name: Savrtpel.sys
Image Path: C:\Program Files\Symantec AntiVirus\Savrtpel.sys
Address: 0xB6C7A000 Size: 81920 File Visible: - Signed: -
Status: -

Name: sdcplh.sys
Image Path: C:\WINXP\System32\drivers\sdcplh.sys
Address: 0xBA278000 Size: 40576 File Visible: - Signed: -
Status: -

Name: SPBBCDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Address: 0xB69E0000 Size: 401408 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB9EFF000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINXP\system32\DRIVERS\srv.sys
Address: 0xB5C15000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINXP\system32\DRIVERS\swenum.sys
Address: 0xBA5EC000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Program Files\Symantec\SYMEVENT.SYS
Address: 0xB6C8E000 Size: 139264 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINXP\System32\Drivers\SYMTDI.SYS
Address: 0xB6A64000 Size: 241664 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINXP\system32\drivers\sysaudio.sys
Address: 0xB61D7000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINXP\system32\DRIVERS\tcpip.sys
Address: 0xB6AED000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINXP\system32\DRIVERS\TDI.SYS
Address: 0xBA430000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINXP\system32\DRIVERS\termdd.sys
Address: 0xBA1C8000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINXP\system32\DRIVERS\update.sys
Address: 0xB93DE000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbaudio.sys
Image Path: C:\WINXP\system32\drivers\usbaudio.sys
Address: 0xBA2B8000 Size: 60032 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINXP\system32\DRIVERS\usbccgp.sys
Address: 0xBA380000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINXP\system32\DRIVERS\USBD.SYS
Address: 0xBA602000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINXP\system32\DRIVERS\usbehci.sys
Address: 0xBA400000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINXP\system32\DRIVERS\usbhub.sys
Address: 0xBA248000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINXP\system32\DRIVERS\USBPORT.SYS
Address: 0xB9693000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINXP\system32\DRIVERS\usbuhci.sys
Address: 0xBA3F8000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINXP\System32\drivers\vga.sys
Address: 0xBA4A8000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINXP\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB96F8000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINXP\system32\DRIVERS\wanarp.sys
Address: 0xBA258000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINXP\System32\watchdog.sys
Address: 0xBA3B8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINXP\system32\drivers\wdmaud.sys
Address: 0xB5FE2000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINXP\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINXP\system32\DRIVERS\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

#13 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 28 July 2009 - 06:24 PM

This isn't the right scan. Make sure you click on the Files tab (bottom left), then click the Scan button.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#14 glicky22

glicky22
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:01:37 AM

Posted 28 July 2009 - 06:41 PM

I think I got it this time. Sorry
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/28 18:40
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\Users\All Users
Status: Locked to the Windows API!

Path: C:\WINXP\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINXP\system32\UACixmktiojdu.dll
Status: Invisible to the Windows API!

Path: C:\WINXP\system32\UACjohmbavbuw.dll
Status: Invisible to the Windows API!

Path: C:\WINXP\system32\UAClrwwiarefq.dat
Status: Invisible to the Windows API!

Path: C:\WINXP\system32\UACoryjkvymxf.dll
Status: Invisible to the Windows API!

Path: C:\WINXP\system32\UACqnwyiuijxi.db
Status: Invisible to the Windows API!

Path: C:\WINXP\system32\UACubrobappup.dll
Status: Invisible to the Windows API!

Path: C:\WINXP\Temp\UACe6e5.tmp
Status: Invisible to the Windows API!

Path: C:\WINXP\Temp\UACe7a0.tmp
Status: Invisible to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\My Documents\My Videos
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a8980e994a5d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\WINXP\system32\drivers\UACoettrsxkwk.sys
Status: Invisible to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\Application Data
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\Cookies
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\Local Settings
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\NetHood
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\PrintHood
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\Recent
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\SendTo
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\Start Menu
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\Templates
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Local Settings\Temp\UACaf18.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20080130.004\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_MSIL\PresentationFramework\3.0.0.0__31bf3856ad364e35\PRESEN~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_MSIL\System.ServiceModel\3.0.0.0__b77a5c561934e089\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\AppData\Local\Application Data
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\AppData\Local\History
Status: Locked to the Windows API!

Path: C:\Users\Justin.JUSTIN-SHAR\Desktop\Justin-Old Profile\AppData\Local\Temporary Internet Files
Status: Locked to the Windows API!

#15 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:37 PM

Posted 28 July 2009 - 06:54 PM

Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINXP\system32\drivers\UACoettrsxkwk.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users