Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes runs and then closes


  • Please log in to reply
22 replies to this topic

#1 itparttimer

itparttimer

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 24 August 2009 - 06:01 PM

I'm having trouble with a laptop that I have. I searched up and followed some things other people did.
What I have done so far is, boot in safe mode and do a quick scan, for some reason that worked. After the quick scan,
I rebooted into normal mode and tried to run a normal scan but it did not work. I've tried renaming the mbam.exe file to random names AND winlogon.exe, and reinstalling multiple times.
When I did the quick scan it found around 30 infected files.
What should I do next so I that I can get malwarebytes to run normally without being closed.
Oh, I have run a full scan from another computer, I took out the hard drive and plugged it into my other computer as a slave.
That also found many infected files however I still cannot get malwarebytes to run normally.
Any help would be appreciated, thanks.

Quick rerereedit: I just tried to run a quickscan in safe mode but it does not work anymore. It closes.

Edited by itparttimer, 24 August 2009 - 06:12 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 24 August 2009 - 09:10 PM

Hello itparttimer and :thumbsup: to BleepingComputer.

Please post the Malwarebytes log from the scan which was successful. (the "around 30 infected files" one)

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 itparttimer

itparttimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 August 2009 - 11:06 AM

Sorry for the late reply, here is the log
Malwarebytes' Anti-Malware 1.40
Database version: 2672
Windows 5.1.2600 Service Pack 3

21/08/2009 4:47:44 PM
mbam-log-2009-08-21 (16-47-44).txt

Scan type: Full Scan (E:\|)
Objects scanned: 210918
Time elapsed: 1 hour(s), 32 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091057.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091058.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091062.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091064.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091167.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091168.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091179.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091180.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091181.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091196.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091197.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091210.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP604\A0091212.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0091579.exe (Rogue.WindowsAntivirus) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP606\A0091580.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
E:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP613\A0092647.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\dddesot.dll (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\WINDOWS\Temp\tmp00001a72\tmp0000230d (Trojan.FakeAlert) -> Quarantined and deleted successfully.
E:\Documents and Settings\Hugh\Local Settings\Temp\26.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\Hugh\Local Settings\Temp\2A.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 25 August 2009 - 11:38 AM

We need to do a rootkit scan.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal scan

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 itparttimer

itparttimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 August 2009 - 11:42 AM

Yup, done, here it is. Well, I did it beforehand haha.
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/24 16:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEED9A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7C57000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7CD4000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEB12000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7C13000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: e:\i386\branches.inf
Status: Allocation size mismatch (API: 65536, Raw: 712)

Path: e:\i386\cloapp.gif
Status: Allocation size mismatch (API: 65536, Raw: 720)

Path: e:\i386\netfw.inf
Status: Allocation size mismatch (API: 65536, Raw: 696)

Path: e:\i386\noise.tha
Status: Allocation size mismatch (API: 65536, Raw: 704)

Path: e:\i386\oobeinfo.ini
Status: Allocation size mismatch (API: 65536, Raw: 696)

Path: e:\i386\ms8_6.png
Status: Allocation size mismatch (API: 65536, Raw: 720)

Path: e:\i386\progman.cnt
Status: Allocation size mismatch (API: 65536, Raw: 696)

Path: e:\i386\sample pictures.lnk
Status: Allocation size mismatch (API: 65536, Raw: 576)

Path: E:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: E:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: E:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: E:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: E:\WINDOWS\occache\occache
Status: Locked to the Windows API!

Path: E:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: E:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB890046\KB890046
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB918899\KB918899
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB920213\KB920213
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB922760\KB922760
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB924496\KB924496
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB925454\KB925454
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB928090\KB928090
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB931768\KB931768
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB933566\KB933566
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB937143\KB937143
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB939653\KB939653
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB942615\KB942615
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB943460\KB943460
Status: Locked to the Windows API!

Path: E:\WINDOWS\$hf_mig$\KB944533\KB944533
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\export\export
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\vos\vos
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\wins\wins
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1025\1025
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1028\1028
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1031\1031
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1037\1037
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1041\1041
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1042\1042
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\1054\1054
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\2052\2052
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\3076\3076
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\3com_dmi\3com_dmi
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\dhcp\dhcp
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\ecs1\ecs1
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\FxsTmp\FxsTmp
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\inetsrv\inetsrv
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\op4\op4
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\ShellExt\ShellExt
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\xircom\xircom
Status: Locked to the Windows API!

Path: E:\WINDOWS\Temp\_avast4_\_avast4_
Status: Locked to the Windows API!

Path: E:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: E:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: E:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: E:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: E:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: E:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: E:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: E:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\drivers\disdn\disdn
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\LogFiles\WUDF\WUDF
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\mui\dispspec\dispspec
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\oobe\sample\sample
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\Macromed\update\update
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\wbem\snmp\snmp
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\6913c676e5d33978934caa46c49fdc75\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\07a96de176867bc25b7dc839d22b07e2\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\0dd0244816ffb4b094c1caba4c3b1178\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\b7f0b2892b21211a5630518d058f48d9\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\d48a3b967ba5709df048e8f2a49cf8a6\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\oobe\html\oemcust\oemcust
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\oobe\html\oemhw\oemhw
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\oobe\html\oemreg\oemreg
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Desktop\Desktop
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\wbem\mof\bad\bad
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: E:\WINDOWS\pchealth\helpctr\System\News\News
Status: Locked to the Windows API!

Path: e:\documents and settings\hugh\favorites\firearms\support\pierre lemieux a nation of licence holders.url
Status: Allocation size mismatch (API: 4096, Raw: 416)

Path: E:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz
Status: Locked to the Windows API!

Path: E:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib
Status: Locked to the Windows API!

Path: E:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Symantec\Symantec
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys
Status: Locked to the Windows API!

Path: E:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\You've Got Pictures Screensaver\PictureDir\PictureDir
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\My Documents\CCWin\Address Book\Address Book
Status: Locked to the Windows API!

Path: e:\documents and settings\hugh\my documents\torrents\completed\nin\year zero [2007]\00-nine_inch_nails-year_zero-2007-read_nfo-nin.sfv
Status: Allocation size mismatch (API: 65536, Raw: 512)

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1276810749-2307341310-3379868011-1003\S-1-5-21-1276810749-2307341310-3379868011-1003
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\BVRP Software\NetWaiting\NetWaiting
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Crypto\RSA\S-1-5-21-1276810749-2307341310-3379868011-1003\S-1-5-21-1276810749-2307341310-3379868011-1003
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1276810749-2307341310-3379868011-1003\S-1-5-21-1276810749-2307341310-3379868011-1003
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003
Status: Locked to the Windows API!

Path: E:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\javaws\cache\cache
Status: Locked to the Windows API!

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\14\14-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v14-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\15\15-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v15-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\16\16-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v16-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\17\17-{8A~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\18\18-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v18-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v18-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\19\19-{8A~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\20\20-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v20-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v20-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\21\21-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v21-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\ilovepotatos@hotmail.com\DFSR\Staging\CS{BA1A6811-1ACB-AC52-4E5E-F0CF72689A2A}\22\22-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v22-{8ABE16E4-4E2D-4455-A1F1-D805ECA5B9CC}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\mr_pink14@hotmail.com\DFSR\Staging\CS{1515329E-9209-6DEA-9D36-7A57BC5C662F}\66\66-{69345079-B3DB-4291-A3C5-B0B44AA3E9E1}-v66-{69345079-B3DB-4291-A3C5-B0B44AA3E9E1}-v66-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\trackgirl88@hotmail.com\DFSR\Staging\CS{2FE15F7D-342C-2483-BEAC-9B55BD59A869}\14\14-{58~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\trackgirl88@hotmail.com\DFSR\Staging\CS{2FE15F7D-342C-2483-BEAC-9B55BD59A869}\15\15-{58~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: E:\Documents and Settings\Hugh\Local Settings\Application Data\Microsoft\Messenger\psychopackrat@hotmail.com\SharingMetadata\trackgirl88@hotmail.com\DFSR\Staging\CS{2FE15F7D-342C-2483-BEAC-9B55BD59A869}\25\97-{8A~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef9ef0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef81b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeeb6b0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef9c20

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef9d90

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefa9f0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefa4c0

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefb310

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeeb7b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeeb830

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefa090

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeeb8e0

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeeb990

#: 079 Function Name: NtFlushKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeeba40

#: 092 Function Name: NtInitializeRegistry
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebac0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef7d10

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeec4e0

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebae0

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebbc0

#: 116 Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xf74cc030

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebca0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef9a10

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefa820

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebd80

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebe30

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefafc0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebee0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeebfc0

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef8790

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeec050

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefb2c0

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeec250

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefb640

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefbc60

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeec2e0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef68f0

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefa6a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeec380

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefb270

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef8070

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeefae10

#: 263 Function Name: NtUnloadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeeec4a0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef9f50

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x86b8f020, TID: 136]
Process: avp.exe (PID: 128) Address: 0x00420618 Size: -

Object: Hidden Thread [ETHREAD: 0x86baada8, TID: 164]
Process: avp.exe (PID: 128) Address: 0x77df3539 Size: -

Object: Hidden Thread [ETHREAD: 0x86b8e020, TID: 188]
Process: avp.exe (PID: 128) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x86b80468, TID: 232]
Process: avp.exe (PID: 128) Address: 0x30322bf0 Size: -

Object: Hidden Thread [ETHREAD: 0x86b26968, TID: 612]
Process: avp.exe (PID: 128) Address: 0x03913392 Size: -

Object: Hidden Thread [ETHREAD: 0x86b1b528, TID: 644]
Process: avp.exe (PID: 128) Address: 0x68101131 Size: -

Object: Hidden Thread [ETHREAD: 0x86ad5020, TID: 1408]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x86a7fda8, TID: 1500]
Process: avp.exe (PID: 128) Address: 0x00ea20de Size: -

Object: Hidden Thread [ETHREAD: 0x868b1528, TID: 2712]
Process: avp.exe (PID: 128) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x8686b518, TID: 2772]
Process: avp.exe (PID: 128) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x868ac478, TID: 2796]
Process: avp.exe (PID: 128) Address: 0x035f65a1 Size: -

Object: Hidden Thread [ETHREAD: 0x86925da8, TID: 2824]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x86879968, TID: 2828]
Process: avp.exe (PID: 128) Address: 0x3094baf2 Size: -

Object: Hidden Thread [ETHREAD: 0x8686b7a0, TID: 2832]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x868d37a0, TID: 2836]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x868857a0, TID: 2844]
Process: avp.exe (PID: 128) Address: 0x7c927edb Size: -

Object: Hidden Thread [ETHREAD: 0x8688e7a0, TID: 2852]
Process: avp.exe (PID: 128) Address: 0x7c929b8f Size: -

Object: Hidden Thread [ETHREAD: 0x868b3978, TID: 2860]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x86951540, TID: 2864]
Process: avp.exe (PID: 128) Address: 0x6dfe24b0 Size: -

Object: Hidden Thread [ETHREAD: 0x86ba4528, TID: 3000]
Process: avp.exe (PID: 128) Address: 0x6a104ad0 Size: -

Object: Hidden Thread [ETHREAD: 0x869bd7a0, TID: 3040]
Process: avp.exe (PID: 128) Address: 0x6a104590 Size: -

Object: Hidden Thread [ETHREAD: 0x868cd020, TID: 3084]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x86b5f8d0, TID: 3224]
Process: avp.exe (PID: 128) Address: 0x769c8761 Size: -

Object: Hidden Thread [ETHREAD: 0x865cd020, TID: 2404]
Process: avp.exe (PID: 128) Address: 0x77e76c7d Size: -

Object: Hidden Thread [ETHREAD: 0x85bd6da8, TID: 1684]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8638bcd0, TID: 4000]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8696ac98, TID: 3268]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x86bbc658, TID: 3928]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x868e2020, TID: 784]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8649aae8, TID: 3684]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8658ac48, TID: 3168]
Process: avp.exe (PID: 128) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8696eb98, TID: 1768]
Process: avp.exe (PID: 1696) Address: 0x00420618 Size: -

Object: Hidden Thread [ETHREAD: 0x8691eda8, TID: 1928]
Process: avp.exe (PID: 1696) Address: 0x30322bf0 Size: -

Object: Hidden Thread [ETHREAD: 0x86a1aa30, TID: 1956]
Process: avp.exe (PID: 1696) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x86930da8, TID: 1960]
Process: avp.exe (PID: 1696) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8698d8a8, TID: 2192]
Process: avp.exe (PID: 1696) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x868997a0, TID: 2932]
Process: avp.exe (PID: 1696) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x86a8f2d0, TID: 3068]
Process: avp.exe (PID: 1696) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8693d020, TID: 2520]
Process: avp.exe (PID: 1696) Address: 0x68001aaa Size: -

Object: Hidden Thread [ETHREAD: 0x8693a020, TID: 304]
Process: avp.exe (PID: 1696) Address: 0x72d230e8 Size: -

Object: Hidden Thread [ETHREAD: 0x8698d020, TID: 1412]
Process: avp.exe (PID: 1696) Address: 0x76b44dca Size: -

Object: Hidden Thread [ETHREAD: 0x86951020, TID: 3488]
Process: avp.exe (PID: 1696) Address: 0x00000000 Size: -

Object: Hidden Thread [ETHREAD: 0x85d5ed20, TID: 2768]
Process: avp.exe (PID: 1696) Address: 0x00000000 Size: -

Object: Hidden Code [ETHREAD: 0x86edd640]
Process: System Address: 0x86d087a0 Size: 83

Object: Hidden Code [ETHREAD: 0x86edd360]
Process: System Address: 0x86d087a0 Size: 83

Object: Hidden Code [ETHREAD: 0x86edbb80]
Process: System Address: 0x86cd8a30 Size: 83

Object: Hidden Code [ETHREAD: 0x86f3cda8]
Process: System Address: 0x86cd8a30 Size: 83

Object: Hidden Code [ETHREAD: 0x86f41748]
Process: System Address: 0x86cd8a30 Size: 83

Object: Hidden Code [ETHREAD: 0x86bcc7a0]
Process: System Address: 0x867540b0 Size: 83

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef7f40

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef8870

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef78e0

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef6800

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef6880

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef6840

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\klif.sys" at address 0xeeef77e0

#: 475 Function Name: NtUserPostMessage
Stat==EOF==

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 25 August 2009 - 11:58 AM

I want to run another rootkit scan. . . there are some unusal entries here. Let's do this.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 itparttimer

itparttimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 August 2009 - 12:46 PM

I've been doing all my scans as a Slave, the infected drive is the slave.
This time, i thought I woudl try connecting it back to the laptop and trying gmer.
Gmer runs for a bit, I think it found some bad things, there were red lines of text...and then it just closed.
Same problem with malwarebytes, but it ran longer, should I try scanning as a slave?

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 25 August 2009 - 01:10 PM

If we can we need to run the scans directly. If the malware is not active it could be nearly impossible to detect. For now, don't scan the drive as a slave. If we have to resort to that I'll let you know.

Hold off on GMER for now; let's go back to RootRepeal. Can you generate a drivers log only please? This can be done by clicking on the Drivers tab and clicking scan. Do the same with Hidden Services, and then try Files. I expect you probably won't be able to do the Files scan, but hopefully the other two should come out okay.

~Blade


In your next reply, please include the following:
RootRepeal logs

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 itparttimer

itparttimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 August 2009 - 01:29 PM

Ok, did all 3 and here are the results
I couldn't complete the file scan as you said, there were zero hidden services so the only log I can post is Driver log
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 11:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF8562000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF83C3000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xAA47D000 Size: 15264 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xAA67C000 Size: 138496 File Visible: - Signed: -
Status: -

Name: Apfiltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Address: 0xF7658000 Size: 105472 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xF8996000 Size: 16128 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF8682000 Size: 60800 File Visible: - Signed: -
Status: -

Name: ASCTRM.SYS
Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Address: 0xF8A68000 Size: 7488 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF835D000 Size: 96512 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8BB0000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF890A000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xF8762000 Size: 44928 File Visible: - Signed: -
Status: -

Name: bdftdif.sys
Image Path: C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
Address: 0xAA6EC000 Size: 130560 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8A26000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8902000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7D71000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF85C2000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF8532000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF89BA000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF8906000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8522000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8592000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dsunidrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
Address: 0xF8A6A000 Size: 5376 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA501000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A36000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF75AA000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8B71000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7DA1000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF833D000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8A24000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF8375000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF85E2000 Size: 40960 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF7672000 Size: 685056 File Visible: - Signed: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xF771A000 Size: 1041536 File Visible: - Signed: -
Status: -

Name: HSFHWICH.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
Address: 0xF7819000 Size: 200064 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA9986000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF81EF000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF85A2000 Size: 52480 File Visible: - Signed: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBF075000 Size: 925696 File Visible: - Signed: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF041000 Size: 212992 File Visible: - Signed: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF020000 Size: 135168 File Visible: - Signed: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF7C30000 Size: 1049056 File Visible: - Signed: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF012000 Size: 57344 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF85B2000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF89F6000 Size: 5504 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF8752000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xAA6C6000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xAA765000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF84F2000 Size: 37248 File Visible: - Signed: -
Status: -

Name: iwca.sys
Image Path: C:\WINDOWS\system32\DRIVERS\iwca.sys
Address: 0xF761B000 Size: 249856 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF888A000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF89F2000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF784A000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8314000 Size: 92928 File Visible: - Signed: -
Status: -

Name: lmimirr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lmimirr.sys
Address: 0xF8BAF000 Size: 3200 File Visible: - Signed: -
Status: -

Name: LMIRfsDriver.sys
Image Path: C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
Address: 0xAA211000 Size: 39168 File Visible: - Signed: -
Status: -

Name: LVPr2Mon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
Address: 0xF883A000 Size: 18688 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xAA189000 Size: 11840 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8A28000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF887A000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF8882000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8502000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xAA13C000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xAA5E1000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF88CA000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF8622000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF89DA000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF8240000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF825A000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF89C6000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xAA3AD000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF7604000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8642000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7DC1000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xAA69E000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF8582000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF88D2000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8287000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8B3D000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF8552000 Size: 61696 File Visible: - Signed: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xF88AA000 Size: 17088 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF877A000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF83B2000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8ABA000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF8772000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF8394000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF786D000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF75B2000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF889A000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF8542000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF81EB000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF85F2000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8602000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8612000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF88A2000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xAA651000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8A2A000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF85D2000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9806000 Size: 49152 File Visible: No Signed: -
Status: -

Name: s24trans.sys
Image Path: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xAA479000 Size: 10432 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xF7BE4000 Size: 79232 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF832B000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA9FFA000 Size: 333952 File Visible: - Signed: -
Status: -

Name: STAC97.sys
Image Path: C:\WINDOWS\system32\drivers\STAC97.sys
Address: 0xF7891000 Size: 272896 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8A1A000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA9CCA000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xAA70C000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF8892000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8632000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF7416000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8A20000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF8872000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8662000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7BF8000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF886A000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF88C2000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7C1C000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8512000 Size: 52352 File Visible: - Signed: -
Status: -

Name: w29n51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\w29n51.sys
Address: 0xA93F6000 Size: 3210496 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF8672000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF88E2000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA9BD5000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF879A000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF8722000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF89F4000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 25 August 2009 - 01:37 PM

Driver log gave me what I needed to confirm; there's a rootkit present on the machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

A note: the logs won't be accurate if you scan them with the drive as a slave. . . so you'll have to continue running the tools directly on the laptop. If DDS fails, reply back here for further instruction before creating the new topic.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 itparttimer

itparttimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 August 2009 - 01:47 PM

Thanks for the fast replies Blade,
I've been trying to run DDS, but it seems stuck the black window came up
and it said it shouldn't take more than 3 minutes...but it's taken about 7 I think.
I'm guessing it's not working?

EDIT: Yea, it's been staying at that screen for a loonngg time now. It's stuck. DDS doesn't work T_T

Edited by itparttimer, 25 August 2009 - 02:00 PM.


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 25 August 2009 - 02:11 PM

In lieu of DDS, try RSIT.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 itparttimer

itparttimer
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:54 PM

Posted 25 August 2009 - 02:31 PM

I trist to run RSIT, it started to run..then it closed. I tried double clicking RSIT.exe again, now the message
"Windows cannot access the specified device, path, or file. You may not have appropriate permissions to access the item."
appears, which also appeared for malwarebytes when it closed and I tried to run again..T_T

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:54 PM

Posted 25 August 2009 - 03:06 PM

One more alternative to try.

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Bobz_Pop

Bobz_Pop

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hampton Roads, VA
  • Local time:09:54 PM

Posted 25 August 2009 - 03:12 PM

Not sure if this has been tried, but with a couple other times it worked for me. Did you try to run a full Malwarebytes scan in Safe mode with system restore off?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users