Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Search & destroy\spybotsd.


  • This topic is locked This topic is locked
13 replies to this topic

#1 sinaknows

sinaknows

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 27 August 2009 - 12:04 AM

Hi,

Ok, for the past few days my system has been giving me grief. I made the mistake of clicking on a file uploaded to RapidShare and after downloading it, the file disappeared in the blink of an eye (I kid you not). So I downloaded it again and clicked on the file through the download manager and it disappeared again. Weird. I also noticed when the computer is just idle (when I'm not using it) the IE browser would pop up on it's own with two windows of ads. Now, IE is on my system but I don't use it - I am a faithful Firefox user at the moment. Anyway, I strongly believe that RapidShare file is the problem. But it could be something else I guess. Come to think about it, it might be something else because I also clicked on a four JPG images from an email a client of mine sent me (I think by mistake though) and the image wouldn't open either for some strange reason. I've never had a problem opening up JPG files before.

I have also downloaded and installed Spybot, Spywareblaster, and TrendMicro software. SpywareBlaster is actually working. But the other two I get the message when attempting to open them: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Search & destroy\spybotsd. What they heck does that mean? Furthermore, I turned on my Windows Firewall some minutes ago. I use Windows XP SVPack 3.

Moreover, I have done everything outlined on the "Preparation Guide for use before posting about your potential Malware problem" page and my system is just jacked up. I downloaded the software recommended on that page and run it only for it to simply crash within seconds. So, I am unable to post up the results it would've generated had it not crashed on me. I don't know if you all will be able to help me without the logs. Hmmm...but I hope you all can. Or maybe I should just re-install the OS. Would that work? Oh, and my "System Restore" points won't even work anymore.

Please help me and my sick PC.

Edited by sinaknows, 27 August 2009 - 12:13 AM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:33 AM

Posted 27 August 2009 - 11:23 AM

Your topic has been moved to the Am I Infected forum so we can assist you in producing a log for the HiJack This forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 sinaknows

sinaknows
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 27 August 2009 - 01:31 PM

Oh, I was wondering why my post was moved to this section of the forum. Ok great! Thanks. I'll keep checking back.

#4 sinaknows

sinaknows
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 31 August 2009 - 05:35 PM

Just wondering the typical timeframe when I will get assistance for my sick pc?

Furthermore, I found some information (seemed to be similar to my issue) on the forum about renaming the security programs exe:

http://www.bleepingcomputer.com/forums/t/252130/mbam-dr-web-hijack-this-wont-run-infected/

On that thread, I did what Straythe and Computer Pro suggested and still the Malware software crashes in the middle of scanning (within a minute of starting the scan). Then when I try to run the software again, I get the same message as I got days ago:

Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

So now I am currently doing what DaChew suggested to the OP of that thread and running Sophos Anti-rootkit. I am still waiting for the scan to complete. After that I won't know what to do though.

Wouldn't it be easier to just re-install my OS? Wouldn't that get rid of this crazy issue I'm having?

Thanks for your time.

Edited by sinaknows, 31 August 2009 - 05:37 PM.


#5 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 31 August 2009 - 08:13 PM

Hello; sorry that you've waited so long. It's gotten really crazy here with all the new rootkit infections.

If you're considering a reinstall, know that you would have to completely reformat your hard drive and wipe it of all data to be certain the infection is gone. Depending on your particular case, that might be the quickest way to go, and it's also the safest. It's up to you to decide if that's your best option, if you have all your data safely backed up and can restore your programs from known clean installers. It also depends on whether you use that computer for sensitive work such as online banking, storing financial information, or anything involving client confidentiality.

If you can get the Sophos log posted, that at least will help determine what the infection actually is, and thus a better idea of how difficult it will be to repair. There are some other scanners that the staff can use if Sophos doesn't work. But *if* your infection, once identified, cannot be cleared in the AII forum, then you need to know that the HJT forum is backed up for several days dealing with these rootkits. Each one needs a customized solution, and they go through several steps of back and forth to accomplish the job.

This article might be helpful:

When should I reformat? How should I reinstall?

Please do post the Sophos log and we'll see what we can do.

Good luck - Straythe
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#6 sinaknows

sinaknows
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 31 August 2009 - 09:05 PM

Hey Straythe,

No prob. I appreciate you taking the time to share your thoughts. Well the Sophos program was nearly completed when CRASH!! My whole system just cut-off; all those hours waiting and being hopeful. So I rebooted and here I am giving an update of my system failing to hold on. It's obviously getting worse by the day (more like second). I did manage to see that it detected a lot of "uknown" files (whatever that means). Dang! I really didn't want to lose all my files, but I guess I have no other option.

Again, thanks.

#7 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:33 AM

Posted 31 August 2009 - 09:14 PM

There might be a Sophos log in your Documents and Settings, with luck...

If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.


Also - have you tried either RootRepeal or GMER yet?

-Straythe

Edited by Straythe, 31 August 2009 - 09:15 PM.

***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:33 AM

Posted 31 August 2009 - 09:24 PM

Hello sinaknows and :thumbsup: to BleepingComputer

Sorry it's taken so long; as Straythe mentioned it's been really crazy here over the past week.

I'd like us to try scanning in a special way. Based on your symptoms, I suspect that you have one of the new rootkit variants that have been plaguing people recently. This scan will help to confirm that.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the "Drivers" tab, and then click the Posted Image button.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 sinaknows

sinaknows
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 31 August 2009 - 09:58 PM

There might be a Sophos log in your Documents and Settings, with luck...

If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.


Also - have you tried either RootRepeal or GMER yet?

-Straythe


Hey Straythe,

I found it :thumbsup:! How do you want me to send you the log?

To answer your question, yes, I have already ran the RootRepeal only for the software to crash. Then when I tried to run it again, I received the error (title of this thread). But I can re-install it now and see what happens. GMER? What is that? I did install and run a DDS application and I get the same result as the RootRepeal.

Thanks.


To Blade:

Hi there and thanks for the welcome. I understand you guys are busy, so no prob. Great to see I'm next in line though :flowers:. I will be doing what you suggested with RootRepeal right now. I'll post an update when it's completed.

Thanks.

Edited by sinaknows, 31 August 2009 - 10:04 PM.


#10 sinaknows

sinaknows
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 31 August 2009 - 10:24 PM

ROOTREPEAL

ROOTREPEAL  AD, 2007-2009==================================================Scan Start Time:		2009/08/31 22:16Program Version:		Version 1.3.5.0Windows Version:		Windows XP SP3==================================================Drivers-------------------Name: 1394BUS.SYSImage Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYSAddress: 0xF8606000	Size: 57344	File Visible: -	Signed: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xF848E000	Size: 187776	File Visible: -	Signed: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000	Size: 2189056	File Visible: -	Signed: -Status: -Name: AegisP.sysImage Path: C:\WINDOWS\system32\DRIVERS\AegisP.sysAddress: 0xF4D58000	Size: 18720	File Visible: -	Signed: -Status: -Name: Afc.SYSImage Path: C:\WINDOWS\System32\Drivers\Afc.SYSAddress: 0xF8946000	Size: 32768	File Visible: -	Signed: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xF5718000	Size: 138496	File Visible: -	Signed: -Status: -Name: AFS2K.SYSImage Path: C:\WINDOWS\System32\Drivers\AFS2K.SYSAddress: 0xF8776000	Size: 35840	File Visible: -	Signed: -Status: -Name: ALCXSENS.SYSImage Path: C:\WINDOWS\system32\drivers\ALCXSENS.SYSAddress: 0xF7E39000	Size: 400384	File Visible: -	Signed: -Status: -Name: ALCXWDM.SYSImage Path: C:\WINDOWS\system32\drivers\ALCXWDM.SYSAddress: 0xF7EBF000	Size: 601920	File Visible: -	Signed: -Status: -Name: amdk7.sysImage Path: C:\WINDOWS\System32\DRIVERS\amdk7.sysAddress: 0xF8736000	Size: 37760	File Visible: -	Signed: -Status: -Name: arp1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\arp1394.sysAddress: 0xF804D000	Size: 60800	File Visible: -	Signed: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0xF8446000	Size: 98304	File Visible: -	Signed: -Status: -Name: atapi.sysImage Path: atapi.sysAddress: 0x00000000	Size: 0	File Visible: -	Signed: -Status: -Name: ati2dvaa.dllImage Path: C:\WINDOWS\System32\ati2dvaa.dllAddress: 0xBF9D5000	Size: 380928	File Visible: -	Signed: -Status: -Name: ati2mtaa.sysImage Path: C:\WINDOWS\System32\DRIVERS\ati2mtaa.sysAddress: 0xF7FAD000	Size: 327040	File Visible: -	Signed: -Status: -Name: ATMFD.DLLImage Path: C:\WINDOWS\System32\ATMFD.DLLAddress: 0xBFFA0000	Size: 286720	File Visible: -	Signed: -Status: -Name: audstub.sysImage Path: C:\WINDOWS\System32\DRIVERS\audstub.sysAddress: 0xF8BF6000	Size: 3072	File Visible: -	Signed: -Status: -Name: Beep.SYSImage Path: C:\WINDOWS\System32\Drivers\Beep.SYSAddress: 0xF8B88000	Size: 4224	File Visible: -	Signed: -Status: -Name: BOOTVID.dllImage Path: C:\WINDOWS\system32\BOOTVID.dllAddress: 0xF8A06000	Size: 12288	File Visible: -	Signed: -Status: -Name: Cdfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Cdfs.SYSAddress: 0xF4332000	Size: 63744	File Visible: -	Signed: -Status: -Name: cdrom.sysImage Path: C:\WINDOWS\System32\DRIVERS\cdrom.sysAddress: 0xF8786000	Size: 62976	File Visible: -	Signed: -Status: -Name: CLASSPNP.SYSImage Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYSAddress: 0xF8656000	Size: 53248	File Visible: -	Signed: -Status: -Name: disk.sysImage Path: disk.sysAddress: 0xF8646000	Size: 36352	File Visible: -	Signed: -Status: -Name: drmk.sysImage Path: C:\WINDOWS\system32\drivers\drmk.sysAddress: 0xF87A6000	Size: 61440	File Visible: -	Signed: -Status: -Name: dump_atapi.sysImage Path: C:\WINDOWS\System32\Drivers\dump_atapi.sysAddress: 0xF2F6C000	Size: 98304	File Visible: No	Signed: -Status: -Name: dump_WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYSAddress: 0xF8B66000	Size: 8192	File Visible: No	Signed: -Status: -Name: Dxapi.sysImage Path: C:\WINDOWS\System32\drivers\Dxapi.sysAddress: 0xF349A000	Size: 12288	File Visible: -	Signed: -Status: -Name: dxg.sysImage Path: C:\WINDOWS\System32\drivers\dxg.sysAddress: 0xBF9C3000	Size: 73728	File Visible: -	Signed: -Status: -Name: dxgthk.sysImage Path: C:\WINDOWS\System32\drivers\dxgthk.sysAddress: 0xF8CF7000	Size: 4096	File Visible: -	Signed: -Status: -Name: fdc.sysImage Path: C:\WINDOWS\System32\DRIVERS\fdc.sysAddress: 0xF894E000	Size: 27392	File Visible: -	Signed: -Status: -Name: Fips.SYSImage Path: C:\WINDOWS\System32\Drivers\Fips.SYSAddress: 0xF806D000	Size: 44544	File Visible: -	Signed: -Status: -Name: flpydisk.sysImage Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sysAddress: 0xF8986000	Size: 20480	File Visible: -	Signed: -Status: -Name: fltmgr.sysImage Path: fltmgr.sysAddress: 0xF8426000	Size: 129792	File Visible: -	Signed: -Status: -Name: Fs_Rec.SYSImage Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYSAddress: 0xF8B86000	Size: 7936	File Visible: -	Signed: -Status: -Name: fssfltr_tdi.sysImage Path: C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sysAddress: 0xF8726000	Size: 48128	File Visible: -	Signed: -Status: -Name: ftdisk.sysImage Path: ftdisk.sysAddress: 0xF845E000	Size: 125056	File Visible: -	Signed: -Status: -Name: gameenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\gameenum.sysAddress: 0xF8AAA000	Size: 10624	File Visible: -	Signed: -Status: -Name: hal.dllImage Path: C:\WINDOWS\system32\hal.dllAddress: 0x806EE000	Size: 81152	File Visible: -	Signed: -Status: -Name: HIDCLASS.SYSImage Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYSAddress: 0xF7FFD000	Size: 36864	File Visible: -	Signed: -Status: -Name: HIDPARSE.SYSImage Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYSAddress: 0xF890E000	Size: 28672	File Visible: -	Signed: -Status: -Name: hidusb.sysImage Path: C:\WINDOWS\system32\DRIVERS\hidusb.sysAddress: 0xF8A86000	Size: 10368	File Visible: -	Signed: -Status: -Name: HTTP.sysImage Path: C:\WINDOWS\System32\Drivers\HTTP.sysAddress: 0xF28FD000	Size: 264832	File Visible: -	Signed: -Status: -Name: i8042prt.sysImage Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sysAddress: 0xF87E6000	Size: 52480	File Visible: -	Signed: -Status: -Name: imapi.sysImage Path: C:\WINDOWS\system32\DRIVERS\imapi.sysAddress: 0xF8766000	Size: 42112	File Visible: -	Signed: -Status: -Name: ipnat.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipnat.sysAddress: 0xF562F000	Size: 152832	File Visible: -	Signed: -Status: -Name: ipsec.sysImage Path: C:\WINDOWS\System32\DRIVERS\ipsec.sysAddress: 0xF57BB000	Size: 75264	File Visible: -	Signed: -Status: -Name: isapnp.sysImage Path: isapnp.sysAddress: 0xF8616000	Size: 37248	File Visible: -	Signed: -Status: -Name: kbdclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sysAddress: 0xF8956000	Size: 24576	File Visible: -	Signed: -Status: -Name: KDCOM.DLLImage Path: C:\WINDOWS\system32\KDCOM.DLLAddress: 0xF8AF6000	Size: 8192	File Visible: -	Signed: -Status: -Name: kmixer.sysImage Path: C:\WINDOWS\system32\drivers\kmixer.sysAddress: 0xF2072000	Size: 172416	File Visible: -	Signed: -Status: -Name: ks.sysImage Path: C:\WINDOWS\System32\DRIVERS\ks.sysAddress: 0xF7F52000	Size: 143360	File Visible: -	Signed: -Status: -Name: KSecDD.sysImage Path: KSecDD.sysAddress: 0xF83FD000	Size: 92288	File Visible: -	Signed: -Status: -Name: mcdbus.sysImage Path: C:\WINDOWS\system32\DRIVERS\mcdbus.sysAddress: 0xF7DE0000	Size: 116736	File Visible: -	Signed: -Status: -Name: mnmdd.SYSImage Path: C:\WINDOWS\System32\Drivers\mnmdd.SYSAddress: 0xF8B8E000	Size: 4224	File Visible: -	Signed: -Status: -Name: mouclass.sysImage Path: C:\WINDOWS\System32\DRIVERS\mouclass.sysAddress: 0xF8976000	Size: 23040	File Visible: -	Signed: -Status: -Name: mouhid.sysImage Path: C:\WINDOWS\System32\DRIVERS\mouhid.sysAddress: 0xF82ED000	Size: 12160	File Visible: -	Signed: -Status: -Name: MountMgr.sysImage Path: MountMgr.sysAddress: 0xF8626000	Size: 42368	File Visible: -	Signed: -Status: -Name: mrxdav.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sysAddress: 0xF2E77000	Size: 180608	File Visible: -	Signed: -Status: -Name: mrxsmb.sysImage Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sysAddress: 0xF5655000	Size: 455296	File Visible: -	Signed: -Status: -Name: Msfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Msfs.SYSAddress: 0xF899E000	Size: 19072	File Visible: -	Signed: -Status: -Name: msgpc.sysImage Path: C:\WINDOWS\System32\DRIVERS\msgpc.sysAddress: 0xF81DE000	Size: 35072	File Visible: -	Signed: -Status: -Name: mssmbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sysAddress: 0xF8ABE000	Size: 15488	File Visible: -	Signed: -Status: -Name: Mup.sysImage Path: Mup.sysAddress: 0xF8329000	Size: 105344	File Visible: -	Signed: -Status: -Name: NDIS.sysImage Path: NDIS.sysAddress: 0xF8343000	Size: 182656	File Visible: -	Signed: -Status: -Name: ndistapi.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sysAddress: 0xF8AAE000	Size: 10112	File Visible: -	Signed: -Status: -Name: ndisuio.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sysAddress: 0xF82E1000	Size: 14592	File Visible: -	Signed: -Status: -Name: ndiswan.sysImage Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sysAddress: 0xF7E0E000	Size: 91520	File Visible: -	Signed: -Status: -Name: NDProxy.SYSImage Path: C:\WINDOWS\System32\Drivers\NDProxy.SYSAddress: 0xF81BE000	Size: 40576	File Visible: -	Signed: -Status: -Name: netbios.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbios.sysAddress: 0xF808D000	Size: 34688	File Visible: -	Signed: -Status: -Name: netbt.sysImage Path: C:\WINDOWS\System32\DRIVERS\netbt.sysAddress: 0xF573A000	Size: 162816	File Visible: -	Signed: -Status: -Name: nic1394.sysImage Path: C:\WINDOWS\System32\DRIVERS\nic1394.sysAddress: 0xF8746000	Size: 61824	File Visible: -	Signed: -Status: -Name: Npfs.SYSImage Path: C:\WINDOWS\System32\Drivers\Npfs.SYSAddress: 0xF89A6000	Size: 30848	File Visible: -	Signed: -Status: -Name: Ntfs.sysImage Path: Ntfs.sysAddress: 0xF8370000	Size: 574976	File Visible: -	Signed: -Status: -Name: ntoskrnl.exeImage Path: C:\WINDOWS\system32\ntoskrnl.exeAddress: 0x804D7000	Size: 2189056	File Visible: -	Signed: -Status: -Name: Null.SYSImage Path: C:\WINDOWS\System32\Drivers\Null.SYSAddress: 0xF8C5A000	Size: 2944	File Visible: -	Signed: -Status: -Name: ohci1394.sysImage Path: ohci1394.sysAddress: 0xF85F6000	Size: 61696	File Visible: -	Signed: -Status: -Name: parport.sysImage Path: C:\WINDOWS\System32\DRIVERS\parport.sysAddress: 0xF7E25000	Size: 80128	File Visible: -	Signed: -Status: -Name: PartMgr.sysImage Path: PartMgr.sysAddress: 0xF887E000	Size: 19712	File Visible: -	Signed: -Status: -Name: ParVdm.SYSImage Path: C:\WINDOWS\System32\Drivers\ParVdm.SYSAddress: 0xF8B7A000	Size: 6784	File Visible: -	Signed: -Status: -Name: pci.sysImage Path: pci.sysAddress: 0xF847D000	Size: 68224	File Visible: -	Signed: -Status: -Name: PCI_PNP1408Image Path: \Driver\PCI_PNP1408Address: 0x00000000	Size: 0	File Visible: No	Signed: -Status: -Name: PCIIDEX.SYSImage Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYSAddress: 0xF8876000	Size: 28672	File Visible: -	Signed: -Status: -Name: PnpManagerImage Path: \Driver\PnpManagerAddress: 0x804D7000	Size: 2189056	File Visible: -	Signed: -Status: -Name: portcls.sysImage Path: C:\WINDOWS\system32\drivers\portcls.sysAddress: 0xF7E9B000	Size: 147456	File Visible: -	Signed: -Status: -Name: psched.sysImage Path: C:\WINDOWS\System32\DRIVERS\psched.sysAddress: 0xF7DFD000	Size: 69120	File Visible: -	Signed: -Status: -Name: ptilink.sysImage Path: C:\WINDOWS\System32\DRIVERS\ptilink.sysAddress: 0xF8966000	Size: 17792	File Visible: -	Signed: -Status: -Name: rasacd.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasacd.sysAddress: 0xF82DD000	Size: 8832	File Visible: -	Signed: -Status: -Name: rasl2tp.sysImage Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sysAddress: 0xF820E000	Size: 51328	File Visible: -	Signed: -Status: -Name: raspppoe.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sysAddress: 0xF81FE000	Size: 41472	File Visible: -	Signed: -Status: -Name: raspptp.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspptp.sysAddress: 0xF81EE000	Size: 48384	File Visible: -	Signed: -Status: -Name: raspti.sysImage Path: C:\WINDOWS\System32\DRIVERS\raspti.sysAddress: 0xF896E000	Size: 16512	File Visible: -	Signed: -Status: -Name: RAWImage Path: \FileSystem\RAWAddress: 0x804D7000	Size: 2189056	File Visible: -	Signed: -Status: -Name: rdbss.sysImage Path: C:\WINDOWS\System32\DRIVERS\rdbss.sysAddress: 0xF56ED000	Size: 175744	File Visible: -	Signed: -Status: -Name: RDPCDD.sysImage Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sysAddress: 0xF8B90000	Size: 4224	File Visible: -	Signed: -Status: -Name: redbook.sysImage Path: C:\WINDOWS\System32\DRIVERS\redbook.sysAddress: 0xF8796000	Size: 57600	File Visible: -	Signed: -Status: -Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xF284B000	Size: 49152	File Visible: No	Signed: -Status: -Name: SCSIPORT.SYSImage Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYSAddress: 0xF84BC000	Size: 98304	File Visible: -	Signed: -Status: -Name: serenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\serenum.sysAddress: 0xF8AA2000	Size: 15744	File Visible: -	Signed: -Status: -Name: serial.sysImage Path: C:\WINDOWS\System32\DRIVERS\serial.sysAddress: 0xF87B6000	Size: 64512	File Visible: -	Signed: -Status: -Name: spnx.sysImage Path: spnx.sysAddress: 0xF84D4000	Size: 1052672	File Visible: No	Signed: -Status: -Name: sptdImage Path: \Driver\sptdAddress: 0x00000000	Size: 0	File Visible: No	Signed: -Status: -Name: sr.sysImage Path: sr.sysAddress: 0xF8414000	Size: 73472	File Visible: -	Signed: -Status: -Name: srv.sysImage Path: C:\WINDOWS\System32\DRIVERS\srv.sysAddress: 0xF2DAD000	Size: 333952	File Visible: -	Signed: -Status: -Name: ssmdrv.sysImage Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sysAddress: 0xF89BE000	Size: 22656	File Visible: -	Signed: -Status: -Name: swenum.sysImage Path: C:\WINDOWS\System32\DRIVERS\swenum.sysAddress: 0xF8B78000	Size: 4352	File Visible: -	Signed: -Status: -Name: sysaudio.sysImage Path: C:\WINDOWS\system32\drivers\sysaudio.sysAddress: 0xF8856000	Size: 60800	File Visible: -	Signed: -Status: -Name: tcpip.sysImage Path: C:\WINDOWS\System32\DRIVERS\tcpip.sysAddress: 0xF5762000	Size: 361600	File Visible: -	Signed: -Status: -Name: TDI.SYSImage Path: C:\WINDOWS\System32\DRIVERS\TDI.SYSAddress: 0xF895E000	Size: 20480	File Visible: -	Signed: -Status: -Name: termdd.sysImage Path: C:\WINDOWS\System32\DRIVERS\termdd.sysAddress: 0xF81CE000	Size: 40704	File Visible: -	Signed: -Status: -Name: update.sysImage Path: C:\WINDOWS\System32\DRIVERS\update.sysAddress: 0xF7D82000	Size: 384768	File Visible: -	Signed: -Status: -Name: USBD.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBD.SYSAddress: 0xF8B7C000	Size: 8192	File Visible: -	Signed: -Status: -Name: usbehci.sysImage Path: C:\WINDOWS\system32\DRIVERS\usbehci.sysAddress: 0xF893E000	Size: 30208	File Visible: -	Signed: -Status: -Name: usbhub.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbhub.sysAddress: 0xF81AE000	Size: 59520	File Visible: -	Signed: -Status: -Name: USBPORT.SYSImage Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYSAddress: 0xF7F75000	Size: 147456	File Visible: -	Signed: -Status: -Name: usbuhci.sysImage Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sysAddress: 0xF8936000	Size: 20608	File Visible: -	Signed: -Status: -Name: vga.sysImage Path: C:\WINDOWS\System32\drivers\vga.sysAddress: 0xF8996000	Size: 20992	File Visible: -	Signed: -Status: -Name: viaide.sysImage Path: viaide.sysAddress: 0xF8AFA000	Size: 5376	File Visible: -	Signed: -Status: -Name: VIDEOPRT.SYSImage Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYSAddress: 0xF7F99000	Size: 81920	File Visible: -	Signed: -Status: -Name: VolSnap.sysImage Path: VolSnap.sysAddress: 0xF8636000	Size: 52352	File Visible: -	Signed: -Status: -Name: wanarp.sysImage Path: C:\WINDOWS\System32\DRIVERS\wanarp.sysAddress: 0xF805D000	Size: 34560	File Visible: -	Signed: -Status: -Name: watchdog.sysImage Path: C:\WINDOWS\System32\watchdog.sysAddress: 0xF2FBC000	Size: 20480	File Visible: -	Signed: -Status: -Name: wdmaud.sysImage Path: C:\WINDOWS\system32\drivers\wdmaud.sysAddress: 0xF2D20000	Size: 83072	File Visible: -	Signed: -Status: -Name: Win32kImage Path: \Driver\Win32kAddress: 0xBF800000	Size: 1847296	File Visible: -	Signed: -Status: -Name: win32k.sysImage Path: C:\WINDOWS\System32\win32k.sysAddress: 0xBF800000	Size: 1847296	File Visible: -	Signed: -Status: -Name: win32k.sys:1Image Path: C:\WINDOWS\win32k.sys:1Address: 0xF3E87000	Size: 20480	File Visible: No	Signed: -Status: -Name: win32k.sys:2Image Path: C:\WINDOWS\win32k.sys:2Address: 0xF8706000	Size: 61440	File Visible: No	Signed: -Status: -Name: WMILIB.SYSImage Path: C:\WINDOWS\System32\Drivers\WMILIB.SYSAddress: 0xF8AF8000	Size: 8192	File Visible: -	Signed: -Status: -Name: WMIxWDMImage Path: \Driver\WMIxWDMAddress: 0x804D7000	Size: 2189056	File Visible: -	Signed: -Status: -Name: ws2ifsl.sysImage Path: C:\WINDOWS\System32\drivers\ws2ifsl.sysAddress: 0xF82D5000	Size: 12032	File Visible: -	Signed: -Status: -

Edited by sinaknows, 31 August 2009 - 10:31 PM.


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:33 AM

Posted 31 August 2009 - 10:28 PM

Looks like I was right. . . You have an active rootkit on your machine. With the information you have provided I believe you will need help from the malware removal team. Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. The HJT team is very busy, so it could be several days before you receive a reply. But rest assured, help is on the way!

Due to the nature of this infection it is likely that you will be unable to run traditional scanning utilities or run a full scan with RootRepeal as directed in the Preparation Guide linked above. If this is the case, you should still create your new thread in the HJT forum, but instead of DDS and full RootRepeal logs you should post your partial RootRepeal log (the one you just generated for me), as well as a log generated by this special utility. Note that the utility takes some time to run, so don't worry if it appears that nothing is happening.

Sorry I couldn't do more for you here; they'll be able to help in HJT.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 sinaknows

sinaknows
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:33 AM

Posted 01 September 2009 - 04:08 AM

Blade,

Ok I have done what I could with the steps in the guide and have posted a new thread here:

http://www.bleepingcomputer.com/forums/t/254187/infected-with-rootkit-site-redirections-mbam-trendmicro-spybot-and-ddsscr-crashes/

I forgot to run the Win32kDiag.exe and add the log. But am currently running the program now. So when that's done I'll update my post over on that new thread.

Thanks again for your help.

Edited by sinaknows, 01 September 2009 - 04:08 AM.


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:33 AM

Posted 01 September 2009 - 04:12 AM

make sure you edit your post in the new thread to add your log. . . Do Not reply to it. You need to keep your thread at 0 replies so that it will be obvious that you still need help.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,804 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:33 AM

Posted 01 September 2009 - 10:11 PM

Hello,

Now comes the hard part: waiting

Now that you have posted a log, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users