Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SHeur2 Trojan


  • Please log in to reply
7 replies to this topic

#1 hoorayjeebus

hoorayjeebus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 23 August 2009 - 02:01 AM

Hello,

I use Windows XP. My GF picked up a trojan from the internet (we use Firefox) - did a search for a musician we saw on tv and the 1st hit was a torrent site. She clicked on it and instantly AVG said it was infected. At the time it was the SHeur2 trojan although subsequent scans have changed the name. . So I ran AVG which cleared out the files except they popped back up on the reboot. Ran CCcleaner, then AntiMalware which also failed to clear out the infection. Ran Combofix which also didn't work. Obviously it's in the registry but I don't have the wherewithal to muck around in there without destroying something. If anyone has any more ideas I'd be grateful.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 23 August 2009 - 06:02 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro

#3 hoorayjeebus

hoorayjeebus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 25 August 2009 - 12:02 AM

Thanks ! Here's the report :
(any suggestions for general clean-up are welcome too - I can't seem to remove Norton and have it running with AVG at the same time - I know that's a no-no)

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 21:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF73AB000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF3DC6000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF77FC000 Size: 57344 File Visible: - Signed: -
Status: -

Name: aracpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aracpi.sys
Address: 0xF7984000 Size: 22784 File Visible: - Signed: -
Status: -

Name: arkbcfltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
Address: 0xF7B1A000 Size: 5376 File Visible: - Signed: -
Status: -

Name: armoucfltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
Address: 0xF7B18000 Size: 4992 File Visible: - Signed: -
Status: -

Name: arpolicy.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arpolicy.sys
Address: 0xF71F8000 Size: 10112 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF733D000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7CC0000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xF3AD3000 Size: 329088 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF790C000 Size: 21120 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xF3ED9000 Size: 101888 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7B26000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79EC000 Size: 12288 File Visible: - Signed: -
Status: -

Name: bxdbhgeo.sys
Image Path: bxdbhgeo.sys
Address: 0xF785C000 Size: 23424 File Visible: - Signed: -
Status: -

Name: catchme.sys
Image Path: C:\DOCUME~1\Kristen\LOCALS~1\Temp\catchme.sys
Address: 0xB9390000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB9340000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF781C000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF764C000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF763C000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7355000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7AE4000 Size: 5888 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF771C000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3A97000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B46000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF3F9E000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7BBB000 Size: 4096 File Visible: - Signed: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xF3B41000 Size: 397312 File Visible: - Signed: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xF3B24000 Size: 118784 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF3AAF000 Size: 143744 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF779C000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF731D000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B24000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF737B000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF6BB3000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF78B4000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HSX_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Address: 0xF6BDB000 Size: 745472 File Visible: - Signed: -
Status: -

Name: HSX_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
Address: 0xF6C91000 Size: 1011712 File Visible: - Signed: -
Status: -

Name: HSXHWBS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
Address: 0xF6D88000 Size: 282624 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9BF7000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF783C000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF780C000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF3C9E000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF3F4B000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF760C000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF79AC000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7ADC000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6DF5000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF72F4000 Size: 92928 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF765C000 Size: 57472 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB9B07000 Size: 12544 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7B28000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF799C000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF79A4000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF761C000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB9E53000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF3BA2000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF78C4000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF769C000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF71D4000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7220000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF723A000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF71F4000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xBAD00000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6B1A000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF76DC000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF775C000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF3EB1000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF78CC000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7267000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C03000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 3956736 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF6E50000 Size: 3535680 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xF76FC000 Size: 34176 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xF71FC000 Size: 13056 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xF6B68000 Size: 307200 File Visible: - Signed: -
Status: -

Name: NVSNPU.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xF6B31000 Size: 225280 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF786C000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF739A000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_NTPNP1512
Image Path: \Driver\PCI_NTPNP1512
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7BA4000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7864000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF3FA6000 Size: 147456 File Visible: - Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7B7C000 Size: 6464 File Visible: No Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6B09000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF79BC000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF766C000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF6DD5000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF784C000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF75EC000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF75FC000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF79C4000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF3C3A000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B2A000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF6AD9000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF782C000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8ED5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xF3FCA000 Size: 4460544 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF78FC000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xF3C65000 Size: 151552 File Visible: - Signed: -
Status: -

Name: SAVRTPEL.SYS
Image Path: c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS
Address: 0xF3C8A000 Size: 81920 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF73D9000 Size: 98304 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xB9EB0000 Size: 40960 File Visible: - Signed: -
Status: -

Name: SPBBCDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Address: 0xF3CC4000 Size: 401408 File Visible: - Signed: -
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xF73F1000 Size: 958464 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF730B000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB9AB5000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7B1C000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SYMDNS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMDNS.SYS
Address: 0xF78D4000 Size: 28672 File Visible: - Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Address: 0xF3E53000 Size: 143360 File Visible: - Signed: -
Status: -

Name: SYMFW.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMFW.SYS
Address: 0xF3E2A000 Size: 167936 File Visible: - Signed: -
Status: -

Name: SYMIDS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMIDS.SYS
Address: 0xF774C000 Size: 49152 File Visible: - Signed: -
Status: -

Name: symidsco.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20090811.001\symidsco.sys
Address: 0xF3DE8000 Size: 270336 File Visible: - Signed: -
Status: -

Name: symlcbrd.sys
Image Path: C:\WINDOWS\system32\drivers\symlcbrd.sys
Address: 0xF79D4000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SYMNDIS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
Address: 0xF773C000 Size: 45056 File Visible: - Signed: -
Status: -

Name: SYMREDRV.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
Address: 0xF772C000 Size: 40960 File Visible: - Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xF3E76000 Size: 241664 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBA080000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF3EF2000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF79B4000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF76BC000 Size: 40704 File Visible: - Signed: -
Status: -

Name: ukbulba.sys
Image Path: ukbulba.sys
Address: 0xF75DC000 Size: 61440 File Visible: No Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6A7B000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7B20000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7994000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF76EC000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF798C000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6E18000 Size: 147456 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF78BC000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6E3C000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF762C000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF777C000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7934000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB9E3E000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WmBEnum.sys
Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xF71D0000 Size: 10144 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7ADE000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: WmXlCore.sys
Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xF76CC000 Size: 44288 File Visible: - Signed: -
Status: -

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 25 August 2009 - 04:59 PM

Here is the Norton Removal Tool:

http://service1.symantec.com/SUPPORT/tsgen...005033108162039.

And make sure that you run the FILE scan this time and post back the log.
Computer Pro

#5 hoorayjeebus

hoorayjeebus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 25 August 2009 - 07:01 PM

oh der. thanks

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 16:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Kristen\Local Settings\Temp\xrysnoxn.dat
Status: Locked to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070319.016\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

#6 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 25 August 2009 - 07:17 PM

Ok, lets try another AntiRootkit

Please download Sophos Anti-rootkit& save it to your desktop.
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Credits to DaChew
Be sure to print out and read the User Manualand Release Notes
Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
Make sure the following are checked:
o Running processes
o Windows Registry
o Local Hard Drives

Click Start scan.
Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
o Files tagged as Removable: No are not marked for removal and cannot be removed.
o Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
o Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
After reboot, a dialog box displays the files you selected for removal and the action taken.
Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
Disconnect from the Internet or physically unplug you Internet cable connection.
Clean out your temporary files.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Computer Pro

#7 hoorayjeebus

hoorayjeebus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:32 AM

Posted 26 August 2009 - 12:45 AM

Hi,
Installed and ran Anti-Rootkit, and it found many hidden files, but did not recommend any for cleanup. Here is the log


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/25/2009 at 18:53:47 PM
User "Kristen" on computer "YOUR-4DACD0EA75"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\Installer\Office Assistant\ms_office_trial.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\rtdrvmon.exe
Hidden: file C:\hp\region\wallpaper\WBDCC34I.DLL
Hidden: file C:\Documents and Settings\Kristen\Desktop\sar_15_sfx.exe
Hidden: file C:\hp\bin\SetRes.exe
Hidden: file C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP129\A0016868.exe
Hidden: file C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP129\A0016877.exe
Hidden: file C:\MGtools.exe
Hidden: file C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP128\A0016807.exe
Hidden: file C:\Documents and Settings\Kristen\Desktop\ComboFix.exe
Hidden: file C:\Documents and Settings\Kristen\Desktop\AmazonMP3Installer.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\Ad-AwareAE.exe
Hidden: file C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Hidden: file C:\Documents and Settings\Kristen\Desktop\install_flash_player.exe
Hidden: file C:\WINDOWS\system32\pcintro\IAccess.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\Hewlett-Packard\HP Boot Optimizer\InstMsiA.Exe
Hidden: file C:\Program Files\Amazon\MP3 Downloader\Uninstall.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\shootthemessenger.exe
Hidden: file C:\Program Files\Malwarebytes' Anti-Malware\mbam-dor.exe
Hidden: file C:\Program Files\Online Services\PeoplePC\Accelerated\AcceleratedInstaller.exe
Hidden: file C:\Program Files\Online Services\PeoplePC\IE\EN\ie6setup.exe
Hidden: file C:\Program Files\Online Services\PeoplePC\ISP5900\Branding\bartppc.exe
Hidden: file C:\Program Files\Online Services\PeoplePC\ISP5900\System\MFC71.DLL
Hidden: file C:\Program Files\Online Services\PeoplePC\System\Redist\MFC71.DLL
Hidden: file C:\hp\recovery\wizard\SWR_Wizard.exe
Hidden: file C:\hp\support\HPSysInfo.exe
Hidden: file C:\Program Files\InfraRecorder\Uninstall.exe
Hidden: file C:\Program Files\CCleaner\uninst.exe
Hidden: file C:\WINDOWS\SWREG.exe
Hidden: file C:\WINDOWS\vFind.exe
Hidden: file C:\hp\bin\FullScreen2.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\burutter.dll
Hidden: file C:\Program Files\Online Services\EarthLink\EarthLink Setup.exe
Hidden: file C:\Program Files\Online Services\MSN90\pkgs\en\us\encanvas.exe
Hidden: file C:\Program Files\Online Services\MSN90\pkgs\en\us\msncli.exe
Hidden: file C:\Program Files\Online Services\MSN90\pkgs\instmsia.exe
Hidden: file C:\Program Files\Online Services\Canada\KOL\comps\acs\acssetup.exe
Hidden: file C:\Program Files\Online Services\Canada\KOL\comps\fw\nisale.exe
Hidden: file C:\Program Files\Online Services\Canada\KOL\comps\ocp\ocpinst.exe
Hidden: file C:\Program Files\Online Services\Canada\KOL\comps\sysinfo\SinfInst.exe
Hidden: file C:\Program Files\Online Services\Canada\KOL\comps\tb\tbsetup.exe
Hidden: file C:\Program Files\Online Services\Canada\KOL\Setup.exe
Hidden: file C:\Program Files\Online Services\Aol\Canada\comps\acs\acssetup.exe
Hidden: file C:\Program Files\Online Services\Aol\Canada\comps\ocp\ocpinst.exe
Hidden: file C:\Program Files\Online Services\Aol\Canada\comps\sysinfo\SinfInst.exe
Hidden: file C:\Program Files\Online Services\Aol\Canada\comps\tb\tbsetup.exe
Hidden: file C:\Program Files\Online Services\Aol\Canada\setup.exe
Hidden: file C:\Program Files\Online Services\NetscapeOnline\Netscape Tech\nsb-install-8-0.exe
Hidden: file C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe
Hidden: file C:\Program Files\PC-Doctor for DOS\Offline\PC Doctor Offline.exe
Hidden: file C:\Program Files\PC-Doctor 5 for Windows\MFC71u.dll
Hidden: file C:\MGtools\analyse.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\ePSXe.exe
Hidden: file C:\Program Files\Online Services\Aol\United States\AOL90E\COMPS\LP\LANGPACK.EXE
Hidden: file C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\ACS\ACSSETUP.EXE
Hidden: file C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\LP\LANGPACK.EXE
Hidden: file C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\OCP\OCPINST.EXE
Hidden: file C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\SYSINFO\SINFINST.EXE
Hidden: file C:\Program Files\Online Services\Aol\United States\AOL90\COMPS\TB\TBSETUP.EXE
Hidden: file C:\Program Files\Sonic\MyDVD\mfc71.dll
Hidden: file C:\Program Files\Sonic\MyDVD\mfc71u.dll
Hidden: file C:\Program Files\Symantec\LiveUpdate\MFC71.DLL
Hidden: file C:\Program Files\Sonic\MyDVD\LeaderReg.exe
Hidden: file C:\hp\bin\AddDevicePath.exe
Hidden: file C:\hp\bin\OSType.exe
Hidden: file C:\WINDOWS\$hf_mig$\KB958690\SP3GDR\win32k.sys
Hidden: file C:\WINDOWS\system32\bfc42d.dll
Hidden: file C:\WINDOWS\system32\mfc71u.dll
Hidden: file C:\WINDOWS\system32\mfc71.dll
Hidden: file C:\Documents and Settings\All Users\Documents\BitTorrent Downloads\yyyyy\vdsrun30.dll
Hidden: file C:\games\Black Isle\Baldur's Gate\BGMain.exe
Hidden: file C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\LeaderReg.exe
Hidden: file C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe
Hidden: file C:\Program Files\Common Files\Real\GToolbar\GDSSetup.exe
Hidden: file C:\Program Files\WildTangent\Apps\CDA\CDAUninstall.exe
Hidden: file C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\plugins\gpuPeopsSoft.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\plugins\spuEternal.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\plugins\spuEternalL.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\patches\JOYINFO.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\patches\padHellMM.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxe160\patches\NIPPON\padHellMM.dll
Hidden: file C:\Program Files\UltraVNC\unins000.exe
Hidden: file C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\mshtml.dll
Hidden: file C:\WINDOWS\$NtUninstallKB941693$\win32k.sys
Hidden: file C:\Program Files\Common Files\Microsoft Shared\MSORUN\MSORUN.DLL
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\copy of LGVID.AX
Hidden: file C:\Program Files\Microsoft Works\MFC71.dll
Hidden: file C:\Program Files\Microsoft Works\lnchtour.exe
Hidden: file C:\Program Files\PC-Doctor for DOS\Offline\WBDDA34I.DLL
Hidden: file C:\Program Files\PC-Doctor 5 for Windows\uninst.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\delta201Setup.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\clcd32.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\clcd16.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\dplayerx.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\drvmgt.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\MSVCRT40.DLL
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\clokspl.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\help\ip.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\Updates\teatimer166.exe
Hidden: file C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll
Hidden: file C:\Program Files\Norton Internet Security\ISSTE.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\Shock2.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\allobjs.osm
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\secdrv.sys
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\AIMLang.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\AIMinst.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\lws_clrc.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\alsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\ocpinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\tbsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\unagi3.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxecutor1063-prerelease\ePSXeCutorTool.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxecutor1063-prerelease\ePSXeCutor.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\epsxecutor1063-prerelease\ePSXeCutorStuff.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Adobe\Acrobat\7.0\Updater\AdbeRdr709_en_US.exe
Hidden: file C:\Documents and Settings\Kristen\Desktop\New Folder\iwbtgdemo.exe
Hidden: file C:\Program Files\Delta\delta.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\UberNES\UberNES.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\muinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\toolbar.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\alsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ocpinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\tbsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\AIMLang.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3\ampx.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\AIMLang.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\AIMinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\alsetup.exe
Hidden: file C:\WINDOWS\system32\Macromed\Shockwave 10\gt.exe
Hidden: file C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\xpsp2res.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\dpcdll.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\sprb040d.dll
Hidden: file C:\WINDOWS\$NtServicePackUninstall$\sprb0401.dll
Hidden: file C:\WINDOWS\system32\msdelta.dll
Hidden: file C:\Program Files\BitTorrent\bittorrent.exe
Hidden: file C:\WINDOWS\system32\drivers\bxdbhgeo.sys
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\zsnesw150\zsnesw.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\snes9x-1\fmod.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\snes9x-1\snes9x.exe
Hidden: file C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\updspapi.dll
Hidden: file C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
Hidden: file C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Hidden: file C:\Program Files\Spybot - Search & Destroy\unins000.exe
Hidden: file C:\Program Files\Adobe\Adobe Bridge CS3\Adobe DNG Converter.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NESTICLE\NESTICLE.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NESTICLE\dos4gw.exe
Hidden: file C:\Program Files\Westwood Chat\WCHAT.DAT
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kperdpc.dll
Hidden: file C:\WINDOWS\system32\DivX.dll
Hidden: file C:\Program Files\DivX\DivXCodecUninstall.exe
Hidden: file C:\Program Files\DivX\DivX Codec\DivX EKG.exe
Hidden: file C:\Program Files\DivX\ConverterUninstall.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NEStopia\nestopia.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NEStopia\language\english.nlg
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NEStopia\7zxa.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NEStopia\kailleraclient.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\Emulator nes\NEStopia\unrar.dll
Hidden: file C:\Program Files\DivX\DivX Player\DivX Player.exe
Hidden: file C:\Program Files\DivX\DivXPlayerUninstall.exe
Hidden: file C:\Program Files\DivX\DivX Web Player\npdivx32.dll
Hidden: file C:\Program Files\DivX\DivXWebPlayerUninstall.exe
Hidden: file C:\Program Files\DivX\DivXContentUploaderUninstall.exe
Hidden: file C:\Program Files\DivX\DivXBundleUninstall.exe
Hidden: file C:\Program Files\EA Games\Command & Conquer The First Decade\support\Westwood_Chat-4.221.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\msncli.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipevldpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\kprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\ipseldpc.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\.limewire\.NetworkShare\LimeWireWinInstaller.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\.limewire\.NetworkShare\LimeWireWin4.12.6-fixed.exe
Hidden: file C:\WINDOWS\ServicePackFiles\i386\shell32.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knperdpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\knprodpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\isendpc.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\sprb040d.dll
Hidden: file C:\WINDOWS\ServicePackFiles\i386\sprb0401.dll
Hidden: file C:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\msncli.exe
Hidden: file C:\Documents and Settings\All Users\Documents\New Folder\x-com_ufo_defense\xcom1ce.exe
Hidden: file C:\Documents and Settings\All Users\Documents\New Folder\x-com_ufo_defense\xcom1dos.exe
Hidden: file C:\WINDOWS\system32\mui\0401\xpsp2res.dll
Hidden: file C:\WINDOWS\system32\mui\0408\xpsp3res.dll
Hidden: file C:\WINDOWS\system32\mui\0408\xpsp2res.dll
Hidden: file C:\WINDOWS\system32\mui\040D\xpsp2res.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\bop1990\BOP.EXE
Hidden: file C:\Documents and Settings\Kristen\My Documents\My Pictures\favorites\Miles\8-12 months\sunnystripes 014.jpg
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\UNWISE.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\clcd16.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\clcd32.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\dplayerx.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\drvmgt.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\ja2.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\mss32.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Jagged Alliance 2 Gold\Smackw32.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\UNWISE.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\binkw32.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\AIMLang.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\AIMinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\alsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\ocpinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\tbsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\toolbar.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\ja2UBEditor.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\JA2UB.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\Ja2UBSaveConverter.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\mss32.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\JA2 Unfinished Business\Set JA2UB Campaign.exe
Hidden: file C:\Program Files\Adobe\Adobe Bridge CS3\browser\opera.dll
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4268\unagi3.exe
Hidden: file C:\Garmin\MapSource.exe
Hidden: file C:\WINDOWS\system32\dllcache\wmploc.dll
Hidden: file C:\Documents and Settings\Kristen\Desktop\GoogleEarthSetup.exe
Hidden: file C:\Program Files\AVG\AVG8\AVGToolbarInstall.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\aimqqgames\QQSetup65.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\DOSBox-0.70\dosbox.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\DOSBox-0.70\SDL.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\DOSBox-0.70\SDL_net.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\DOSBox-0.70\zmbv\zmbv.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-6f8124ef-n\gluegen-rt.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-79b03289-n\jogl.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-79b03289-n\jogl_awt.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-79b03289-n\jogl_cg.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-286f8cc7-n\decora-d3d.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-286f8cc7-n\decora-sse.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-286f8cc7-n\jmc.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-286f8cc7-n\msvcp71.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\6.0\15\58fb3e0f-286f8cc7-n\msvcr71.dll
Hidden: file C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP119\A0014364.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\DOSBox-0.70\uninstall.exe
Hidden: file C:\Program Files\Tencent\QQ Games\Uninstall.EXE
Hidden: file C:\Program Files\Tencent\QQ Games\Plugin\Uninstall.EXE
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\ocpinst.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\tbsetup.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\toolbar.exe
Hidden: file C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4304\unagi3.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Myth2\Smackw32.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Myth2\nuke.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\Myth2\Myth II.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\sysshock2\SHOCK2FIXED.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\games\abuse\Abuse32.EXE
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_1200_series8142\WAVS.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\OpenOffice.org 2.4 (en-US) Installation Files\setup.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\OpenOffice.org 2.4 (en-US) Installation Files\instmsia.exe
Hidden: file C:\WINDOWS\system32\spool\drivers\w32x86\3\WAVS.EXE
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\sweet\RTP\RTP\Harmony.dll
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\OpenOffice.org 2.4 (en-US) Installation Files\instmsiw.exe
Hidden: file C:\Documents and Settings\Compaq_Administrator\Desktop\OpenOffice.org 2.4 (en-US) Installation Files\java\jre-6u4-windows-i586-p.exe
Hidden: file C:\Documents and Settings\Kristen\Application Data\MySpace\IM\Install\MSIMClientSetup.1.0.697.0-static.exe
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Program Files\Adobe\Adobe Device Central CS3\Required\Opera\Opera.dll
Hidden: file C:\Program Files\Adobe\Adobe Help Viewer\1.1\MFC71U.DLL
Hidden: file C:\Program Files\Jasc Software Inc\Paint Shop Pro 9\MFC71.dll
Info: Starting disk scan of D: (FAT).
Hidden: file D:\I386\APPS\APP25812\src\Support\Redist\MSRedist\mfc71u.dll
Hidden: file D:\I386\APPS\APP25812\src\Support\Redist\MSRedist\mfc71.dll
Hidden: file D:\I386\APPS\APP25812\src\Setup\Setup\APP\ISSTE.dll
Hidden: file D:\I386\APPS\APP25575\src\INS9XMSI.EXE
Hidden: file D:\I386\APPS\APP25276\src\RED\setup.exe
Hidden: file D:\I386\APPS\APP25276\src\BLUE\setup.exe
Hidden: file D:\I386\APPS\APP15999\src\IE\IE6SETUP.EXE
Hidden: file D:\I386\APPS\APP15447\src\MSWORKS\PSS\MSICUU.EXE
Hidden: file D:\I386\APPS\APP15447\src\MSWORKS\PSS\MSICU.EXE
Hidden: file D:\I386\APPS\APP15447\src\MSWORKS\PFILES\MSWORKS\MFC71.DLL
Hidden: file D:\I386\APPS\APP15447\src\MSWORKS\PFILES\MSWORKS\LNCHTOUR.EXE
Hidden: file D:\I386\APPS\APP15447\src\MSWORKS\INSTMSIA.EXE
Hidden: file D:\I386\APPS\APP15315\src\INS9XMSI.EXE
Hidden: file D:\I386\APPS\APP12830\pcdrwinpe\Setup.exe
Hidden: file D:\I386\APPS\APP12830\pcdr\Setup.exe
Hidden: file D:\I386\APPS\APP12830\dos\offline\WBDDA34I.DLL
Hidden: file D:\I386\APPS\APP12830\dos\offline\PC Doctor Offline.exe
Hidden: file D:\I386\APPS\APP12102\src\DISCoverHPDEC_HP_3.33.exe
Hidden: file D:\I386\APPS\APP11738\HPBootOp\InstMsiA.Exe
Hidden: file D:\I386\APPS\APP08361\src\setup\wis\Win9x\instmsi.exe
Hidden: file D:\I386\APPS\APP04878\LPC\SandR.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\other\UberUninstallSetup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\other\FullSetupGamesClient-compaq.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\other\fatemediaupgrade-silent.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\wheeloffortune-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\tradewinds-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\supergranny-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\snowyspacetrip-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\slingodeluxe-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\scrabble-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\ricochetlostworlds-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\polargolfer-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\polarbowler-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\penguins-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\mysterycasefiles-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\mahjongquest-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\legobuilderbots-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\jewelquest-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\jeopardy-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\insaniquariumdeluxe-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\gardendreams-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\fate-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\familyfeud-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\dinerdash-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\chuzzledeluxe-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\cakemania-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\bounce-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\bookwormdeluxe-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\blasterball2remix-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\blasterball2drm3-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\blackhawkstriker2-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\bistrostars-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\bejeweled2deluxe-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\alienshooter-setup.exe
Hidden: file D:\I386\APPS\APP03175\src\install\Worldwide-Compaq\games\airstrike2gulfthunder-setup.exe
Hidden: file D:\I386\APPS\APP00379\src\dsmf\isync\instmsia.exe
Hidden: file D:\I386\APPS\APP00379\src\DISK1\instmsia.exe
Hidden: file D:\MiniNT\PC-Doctor 5 for Win PE\MFC71u.dll
Hidden: file D:\MiniNT\PC-Doctor 5 for Win PE\xjre\jetrt\XLOT41058.dll
Hidden: file D:\MiniNT\PC-Doctor 5 for Win PE\xjre\jetrt\XAWT41058.dll
Stopped logging on 8/25/2009 at 20:32:08 PM

#8 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:32 AM

Posted 26 August 2009 - 04:40 PM

Hello, I am going to go ahead and send you to the HijackThis forum because you have a rootkit and there are some ones on the loose right now that require special tools which are allowed to be used in the HJT forum, but not here. Please follow these instructions:

It looks like we are going to have to use more powerful tools than what we are allowed to use in the Am I Infected forum. I am going to need for you to post a DDS/HijackThis Log in the HijackThis Log section of the forum.

Please refer to this for your preparation reasons before posting:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

You can find the forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Once you have created a new topic in the HijackThis section, please post a link to it in this topic.
Please allow time for your topic to be replied to in the HijackThis section as the HJT Team is EXTREMELY busy posting logs before yours.
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users