Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Too many problems to list...


  • This topic is locked This topic is locked
20 replies to this topic

Poll: Rate my level of doom! (5 member(s) have cast votes)

How screwed am I?

  1. 1-3 - not at all (0 votes [0.00%])

    Percentage of vote: 0.00%

  2. 4-6 - mildly (0 votes [0.00%])

    Percentage of vote: 0.00%

  3. 7-8 - start praying (3 votes [60.00%])

    Percentage of vote: 60.00%

  4. 9-10 - you're in hell (1 votes [20.00%])

    Percentage of vote: 20.00%

  5. 1,000,000...glad I'm not you! (1 votes [20.00%])

    Percentage of vote: 20.00%

Vote

#1 Mur

Mur

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 31 August 2009 - 05:58 PM

So, I want to start out saying that this website describes exactly how I feel. :thumbsup:

I have something evil living in my computer... I cannot open ANY anti-virus software, and cannot even install most of them. I tried to install one of Trend Micro's trials, and it said I was disconnected from the Internet WHILE I WAS STILL ON IT! It takes three back-and-forth clicks to open any Internet page via Google. It started out only blocking those applications that related to anti-virus, and then just went awry. SUPERAntiSpyware is the only thing that I can open (in alternate mode because it blocked the regular one), but it can't do a full scan before it just closes. It always finds a Rootkit.Agent/Gen-UACFake. Don't know what that is, but I figure you guys might. I am a clueless college student who desperately needs her computer, so this is all very frustrating since I do not know how to fix it.

My viral software had just run out, and of course, a few days later, I'm infected... :/ Any help would be appreciated while I can still access the Internet...

Edited by The weatherman, 31 August 2009 - 06:07 PM.
Moved from XP to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 31 August 2009 - 06:40 PM

This is the SAS (just learned this abbreviation! :D) log from when it ran the longest. It detected a trojan, and said it deleted it, but the rootkit still pops up and it doesn't get this far in scanning anymore. Hope this helps!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/30/2009 at 10:16 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Custom Scan
Total Scan Time : 00:07:51

Memory items scanned : 458
Memory threats detected : 2
Registry items scanned : 65
Registry threats detected : 0
File items scanned : 3215
File threats detected : 17

Rootkit.Agent/Gen-UACFake
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACYSUPPQMWMD.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACYSUPPQMWMD.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACNEKXLBYAPY.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\UACNEKXLBYAPY.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Spenser\Cookies\spenser@www.pornflvs[1].txt
C:\Documents and Settings\Spenser\Cookies\spenser@ads.crakmedia[2].txt
C:\Documents and Settings\Spenser\Cookies\spenser@bs.serving-sys[2].txt
C:\Documents and Settings\Spenser\Cookies\spenser@doubleclick[1].txt
C:\Documents and Settings\Spenser\Cookies\spenser@revsci[2].txt
C:\Documents and Settings\Spenser\Cookies\spenser@serving-sys[2].txt
C:\Documents and Settings\Spenser\Cookies\spenser@ads.pointroll[2].txt
C:\Documents and Settings\Spenser\Cookies\spenser@www.gamestats[1].txt
C:\Documents and Settings\Spenser\Cookies\spenser@gamestats[2].txt
C:\Documents and Settings\Spenser\Cookies\spenser@atdmt[1].txt
C:\Documents and Settings\Carrie\Cookies\carrie@atdmt[2].txt
C:\Documents and Settings\Carrie\Cookies\carrie@doubleclick[2].txt
C:\Documents and Settings\Carrie\Cookies\carrie@overture[2].txt

Trojan.Downloader-Gen/A
C:\DOCUMENTS AND SETTINGS\SPENSER\LOCAL SETTINGS\TEMP\A.EXE

Trojan.Agent/Gen-NameThief[Smart]
C:\DOCUMENTS AND SETTINGS\SPENSER\LOCAL SETTINGS\TEMP\CMWXOEANSR.TMP

#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:16 PM

Posted 31 August 2009 - 07:01 PM

Hello Mur and :thumbsup: to BleepingComputer.

Got several things to cover here; please read through it all before doing anything. Let me know if you have any questions.

First of all. . . we need to get you an antivirus.

Two good antivirus programs free for non-commercial home use are Avast! and Antivir[/color]
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

If it helps, I use AntiVir. :flowers:

You need to get that Antivirus installed ASAP. If you are unable to get it installed, then for the time being you should disconnect your machine from the Internet. Being online without a working Antivirus is somewhat suicidal; you'll keep getting infected faster than we can clean you up. Use another machine to access the Internet and communicate with us here.

***************************************************

Next, if you are currently connecting to the Internet via the network of your university, you should alert the University IT department of a possible viral outbreak.

***************************************************

Okay, now let's see what we're dealing with here.

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 31 August 2009 - 07:22 PM

Alright, downloaded and installed Avira. :]

But RootRepeal got shut down mid-scan like everything else. Avira was disabled at the time and Internet was disconnected. I can no longer access it. :thumbsup:

There is NO way to scan things. Or at least that's what it seems like.

#5 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 31 August 2009 - 07:46 PM

Okay, the computer just rebooted itself and a blue screen came up that said regrun root kill and that's all I caught. Help?

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:16 PM

Posted 31 August 2009 - 08:26 PM

Alright. . . I think I know what's happening. We're going to try something sneaky. Please delete the copy of RootRepeal that you have already downloaded, and then follow the below instructions exactly as given. (If you can't delete RootRepeal for some reason, then when you download the new copy just save it somewhere else.)

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the "Drivers" tab, and then click the Posted Image button.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 31 August 2009 - 10:48 PM

Hahaha! I conquered... xD

It allowed me to scan that one. Here's the report on the drivers!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 22:43
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xF79AC000 Size: 19072 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74AD000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2057600 File Visible: - Signed: -
Status: -

Name: aeaudio.sys
Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys
Address: 0xF7B1A000 Size: 4384 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF57ED000 Size: 138368 File Visible: - Signed: -
Status: -

Name: agpkx.sys
Image Path: agpkx.sys
Address: 0xF764C000 Size: 44928 File Visible: - Signed: -
Status: -

Name: aliide.sys
Image Path: aliide.sys
Address: 0xF7AE0000 Size: 5248 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF780C000 Size: 57344 File Visible: - Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xF79DC000 Size: 32768 File Visible: - Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xBA494000 Size: 87424 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xB9E23000 Size: 15136 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xF568E000 Size: 135168 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF76BC000 Size: 41664 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7465000 Size: 95360 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7C66000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgio.sys
Image Path: C:\Program Files\Avira\AntiVir Desktop\avgio.sys
Address: 0xF7B32000 Size: 6144 File Visible: - Signed: -
Status: -

Name: avgntflt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avgntflt.sys
Address: 0xBAF74000 Size: 81920 File Visible: - Signed: -
Status: -

Name: avipbb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\avipbb.sys
Address: 0xF56AF000 Size: 114688 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7B22000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79EC000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA552000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF77EC000 Size: 49536 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF762C000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF761C000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF77CC000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5653000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B34000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF5931000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C09000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xF566B000 Size: 143360 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7904000 Size: 27392 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF76FC000 Size: 34944 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF7934000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF742D000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7B20000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF747D000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806CE000 Size: 131968 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB9B9A000 Size: 262784 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF77AC000 Size: 52736 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xF77DC000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xF5837000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xF58B0000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75DC000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF78F4000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7ADC000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kl1.sys
Image Path: kl1.sys
Address: 0xF7300000 Size: 114688 File Visible: - Signed: -
Status: -

Name: klif.sys
Image Path: C:\WINDOWS\system32\drivers\klif.sys
Address: 0xF56CB000 Size: 241664 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\drivers\ks.sys
Address: 0xF6B88000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7404000 Size: 92032 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF763C000 Size: 57472 File Visible: - Signed: -
Status: -

Name: m5289.sys
Image Path: m5289.sys
Address: 0xF760C000 Size: 51840 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7B24000 Size: 4224 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF78FC000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF75EC000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xBA03D000 Size: 179584 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xF5706000 Size: 453120 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF794C000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF784C000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7AD0000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF731C000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7337000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7ACC000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBAF44000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF6B4E000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF768C000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF76DC000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xF580F000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7954000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7364000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2057600 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7C8E000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 6111232 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys
Address: 0xF6C77000 Size: 6557408 File Visible: - Signed: -
Status: -

Name: Partizan.sys
Image Path: Partizan.sys
Address: 0xF785C000 Size: 32224 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF786C000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF749C000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF7864000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2057600 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6BAB000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF6B3D000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF7924000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF7A80000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF781C000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF782C000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF783C000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF792C000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2057600 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xF5775000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7B26000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF77FC000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9C23000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\Product\SASDIFSV.SYS
Address: 0xF7984000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\Product\SASKUTIL.sys
Address: 0xF57A0000 Size: 151552 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS
Address: 0xF744D000 Size: 98304 File Visible: - Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7AC4000 Size: 15488 File Visible: - Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF77BC000 Size: 64896 File Visible: - Signed: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF6BCF000 Size: 602880 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF741B000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xB9F73000 Size: 332928 File Visible: - Signed: -
Status: -

Name: ssmdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
Address: 0xF797C000 Size: 23040 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7B1C000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBA542000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xF5858000 Size: 360320 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\drivers\TDI.SYS
Address: 0xF7874000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF767C000 Size: 40704 File Visible: - Signed: -
Status: -

Name: ULILAN.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\ULILAN.SYS
Address: 0xF790C000 Size: 28160 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF6A69000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7B1E000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xF791C000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF769C000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xF7914000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF6B65000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7944000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6C63000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF75FC000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF76CC000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF79B4000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xBA227000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7ADE000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2057600 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF73F1000 Size: 77568 File Visible: - Signed: -
Status: -

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:16 PM

Posted 31 August 2009 - 11:21 PM

Okay. . . we ruled out one of the worse scenarios with that scan.

Let's try this next.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • You may be prompted to scan immediately if GMER detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.
  • Exit GMER and re-enable all active protection when done.
~Blade


In your next reply, please include the following:
GMER log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 01 September 2009 - 09:37 AM

It won't let me open the exe file. It just shows the hour glass like it's loading, and then it disappears. :/

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:16 PM

Posted 01 September 2009 - 10:02 AM

Okay. . . let's try this. You'll probably have to rename this executable to get it to run; more details on that below.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

IMPORTANT!!! - when you save the file, rename it to winlogon.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

***************************************************

If you have problems getting MBAM to execute after installation, navigate to the folder MBAM installed to and rename mbam.exe to winlogon.exe. Then double click on the file you just renamed to launch the program. Once MBAM is running, make sure you've updated it and then run a scan as directed above.

~Blade


In your next reply, please include the following:
Malwarebytes log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#11 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 01 September 2009 - 10:28 AM

It freezes at extracting files during the installation process.

#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:16 PM

Posted 01 September 2009 - 11:00 AM

Before we go any further. . . are you willing to format this machine and reinstall the OS? From what it looks like, this will be the easiest and most straightforward "cure." We can back up your important data (within some guidelines) before we wipe the drive.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 01 September 2009 - 11:08 AM

Wait, Avira managed to get a full scan in! It found 13 viruses and I hit repair all. That mean I'm cured? Should I scan again? Do you need the log? I saved it.

#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:04:16 PM

Posted 01 September 2009 - 11:24 AM

That mean I'm cured?

I doubt it. Though I am glad to hear that Avira (somehow) got a scan off. You can try scanning again with Avira if you wish, but the key parts of this kind of infection are often unable to be removed or even seen by normal antiviruses. That's what some of these other tools are used for.


Go ahead and please post the log from the Avira scan for me please.

~Blade

Edited by Blade Zephon, 01 September 2009 - 11:50 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Mur

Mur
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:16 PM

Posted 01 September 2009 - 11:26 AM

Here's the scan. Sometimes I can open things that I most of the time cannot, but I haven't been able to scan with anything other than the SAS before. :]

Avira AntiVir Personal
Report file date: Tuesday, September 01, 2009 10:29

Scanning for 1675275 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : CHEESE1K-1ZXQ8L

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 19:36:14
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 15:21:42
ANTIVIR2.VDF : 7.1.5.146 3087360 Bytes 8/21/2009 00:12:55
ANTIVIR3.VDF : 7.1.5.188 393728 Bytes 8/31/2009 00:12:56
Engineversion : 8.2.1.7
AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 19:31:50
AESCRIPT.DLL : 8.1.2.26 463227 Bytes 9/1/2009 00:13:00
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 15:59:39
AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 15:59:39
AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 19:31:50
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39
AEHEUR.DLL : 8.1.0.155 1921400 Bytes 9/1/2009 00:12:59
AEHELP.DLL : 8.1.6.0 233846 Bytes 9/1/2009 00:12:57
AEGEN.DLL : 8.1.1.59 356725 Bytes 9/1/2009 00:12:57
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 15:59:39
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, E:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Tuesday, September 01, 2009 10:29

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmymitkltk\main
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmymitkltk\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmymitkltk\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmymitkltk\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmymitkltk\group
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\kbiwkmymitkltk\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\modules
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\start
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\type
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\imagepath
[INFO] The registry entry is invisible.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\UACd.sys\group
[INFO] The registry entry is invisible.
'8043' objects were checked, '11' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'mbam.exe' - '1' Module(s) have been scanned
Scan process 'b.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'DynexWCUI.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'ashDisp.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'wltray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'CTCheck.exe' - '1' Module(s) have been scanned
Scan process 'SMTray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ashServ.exe' - '1' Module(s) have been scanned
Scan process 'aswUpdSv.exe' - '1' Module(s) have been scanned
Scan process 'bcmwltry.exe' - '1' Module(s) have been scanned
Scan process 'wltrysvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
43 processes with 43 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
C:\WINDOWS\system32\dumprep.EXE
[WARNING] The file could not be opened!
The registry was scanned ( '64' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\Carrie\My Documents\denby help july06\asus mobo\Drivers\Chipset\IntegratedDriver2.0952.exe
[0] Archive type: CAB SFX (self extracting)
--> \87AGP\WinXP\amdagp8x.cat
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Carrie\My Documents\denby help july06\asus mobo\Software\ACROBAT\ar500cht.exe
[0] Archive type: CAB SFX (self extracting)
--> \DATA.TAG
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Carrie\My Documents\Jokes old\singalon.exe
[DETECTION] Contains recognition pattern of the W95/CIH Windows virus
C:\Documents and Settings\Spenser\.housecall6.6\Quarantine\net.net.bac_a00304
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
C:\Documents and Settings\Spenser\.housecall6.6\Quarantine\prun.tmp.bac_a00304
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
C:\Documents and Settings\Spenser\.housecall6.6\Quarantine\xersmcawno.tmp.bac_a00304
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
C:\Documents and Settings\Spenser\Desktop\RootRepeal(2).exe
[WARNING] The file could not be opened!
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD10.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD11.exe
[0] Archive type: NSIS
--> 3
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD13.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD18.exe
[0] Archive type: NSIS
--> 3
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD19.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD1A.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD1D.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD1F.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD21.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD26.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD28.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD2B.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD2C.exe
[0] Archive type: NSIS
--> unknown6
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD2D.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD2F.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD34.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD37.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD3E.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD40.exe
[0] Archive type: NSIS
--> unknown6
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD43.exe
[0] Archive type: NSIS
--> 3
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD44.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD45.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD49.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD4B.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD4E.exe
[0] Archive type: NSIS
--> '
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD4F.exe
[0] Archive type: NSIS
--> unknown6
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD50.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD52.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD54.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD55.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD56.exe
[0] Archive type: NSIS
--> unknown10
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD58.exe
[0] Archive type: NSIS
--> 3
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EAD8.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\EADF.exe
[0] Archive type: NSIS
--> unknown35
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Documents and Settings\Spenser\Local Settings\Temp\maccsnet.tmp
[DETECTION] Is the TR/Dldr.Agent.dwo Trojan
C:\Documents and Settings\Spenser\Local Settings\Temp\nsaomcrxew.tmp
[DETECTION] Is the TR/PCK.Tdss.Z.3 Trojan
C:\Documents and Settings\Spenser\Local Settings\Temp\rasvsnet.tmp
[DETECTION] Is the TR/Dldr.FraudLoad.wgdu Trojan
C:\Documents and Settings\Spenser\Local Settings\Temp\uyapqbdrie.tmp
[DETECTION] Is the TR/PCK.Tdss.Z.3 Trojan
C:\Documents and Settings\Spenser\Local Settings\Temp\xpre.tmp
[DETECTION] Is the TR/Crypt.MWPM.Gen Trojan
C:\Documents and Settings\Spenser\Local Settings\Temporary Internet Files\Content.IE5\2N04Q2V6\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
C:\Documents and Settings\Spenser\My Documents\installpro.exe
[0] Archive type: NSIS
--> [ProgramFilesDir]/360Share Pro/FileComparator.class
[WARNING] No further files can be extracted from this archive. The archive will be closed
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\Program Files\Alwil Software\Avast4\ashAvast.exe
[WARNING] The file could not be opened!
C:\Program Files\Fluffy\Fluffy.exe
[WARNING] The file could not be opened!
C:\Program Files\Product\Product.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\1666da15-c271-4d26-940d-74d0813ad7b3.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\40bf9f0c-d64e-461b-97e2-01e730e9e68b.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\4d2b87d2-23fd-4a18-963e-576335a852e2.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\962a2cb7-a9f0-4238-9f8c-699f4cb3b957.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\bcec31ef-1c8f-4188-9677-06ca19b46943.exe
[WARNING] The file could not be opened!
C:\Program Files\SUPERAntiSpyware\ceca2da3-eb65-4353-9380-88a53d89a315.exe
[WARNING] The file could not be opened!
C:\Program Files\UnHackMe\Unhackme.exe
[WARNING] The file could not be opened!
C:\Program Files\War\war.exe
[WARNING] The file could not be opened!
C:\WINDOWS\win32k.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\dumprep.exe
[WARNING] The file could not be opened!
C:\_OTM\MovedFiles\08312009_155737\Program Files\Windows Police Pro\windows Police Pro.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.WinAntiVirus.JZ phishing file/email
C:\_OTM\MovedFiles\08312009_155737\WINDOWS\svchasts.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.WinAntiVirus.IV phishing file/email
C:\_OTM\MovedFiles\08312009_155737\WINDOWS\system32\desote.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
Begin scan in 'E:\' <New Volume>
Begin scan in 'F:\' <New Volume>

Beginning disinfection:
C:\Documents and Settings\Carrie\My Documents\Jokes old\singalon.exe
[DETECTION] Contains recognition pattern of the W95/CIH Windows virus
[NOTE] The file was moved to '4b0b46b8.qua'!
C:\Documents and Settings\Spenser\.housecall6.6\Quarantine\net.net.bac_a00304
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '4b1146b4.qua'!
C:\Documents and Settings\Spenser\.housecall6.6\Quarantine\prun.tmp.bac_a00304
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '4b1246c1.qua'!
C:\Documents and Settings\Spenser\.housecall6.6\Quarantine\xersmcawno.tmp.bac_a00304
[DETECTION] Is the TR/Crypt.PEPM.Gen Trojan
[NOTE] The file was moved to '4b0f46b4.qua'!
C:\Documents and Settings\Spenser\Local Settings\Temp\maccsnet.tmp
[DETECTION] Is the TR/Dldr.Agent.dwo Trojan
[NOTE] The file was moved to '4b0046b0.qua'!
C:\Documents and Settings\Spenser\Local Settings\Temp\nsaomcrxew.tmp
[DETECTION] Is the TR/PCK.Tdss.Z.3 Trojan
[NOTE] The file was moved to '4afe46c2.qua'!
C:\Documents and Settings\Spenser\Local Settings\Temp\rasvsnet.tmp
[DETECTION] Is the TR/Dldr.FraudLoad.wgdu Trojan
[NOTE] The file was moved to '4b1046b0.qua'!
C:\Documents and Settings\Spenser\Local Settings\Temp\uyapqbdrie.tmp
[DETECTION] Is the TR/PCK.Tdss.Z.3 Trojan
[NOTE] The file was moved to '4afe46c8.qua'!
C:\Documents and Settings\Spenser\Local Settings\Temp\xpre.tmp
[DETECTION] Is the TR/Crypt.MWPM.Gen Trojan
[NOTE] The file was moved to '4b0f46bf.qua'!
C:\Documents and Settings\Spenser\Local Settings\Temporary Internet Files\Content.IE5\2N04Q2V6\2[1].htm
[DETECTION] Contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus
[NOTE] The file was moved to '4ace46aa.qua'!
C:\_OTM\MovedFiles\08312009_155737\Program Files\Windows Police Pro\windows Police Pro.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.WinAntiVirus.JZ phishing file/email
[NOTE] The file was moved to '4f1df901.qua'!
C:\_OTM\MovedFiles\08312009_155737\WINDOWS\svchasts.exe
[DETECTION] Contains recognition pattern of the PHISH/Fraud.WinAntiVirus.IV phishing file/email
[NOTE] The file was moved to '4b0046c5.qua'!
C:\_OTM\MovedFiles\08312009_155737\WINDOWS\system32\desote.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4b1046b4.qua'!


End of the scan: Tuesday, September 01, 2009 11:05
Used time: 34:20 Minute(s)

The scan has been done completely.

5417 Scanned directories
222259 Files were scanned
13 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
13 Files were moved to quarantine
0 Files were renamed
16 Files cannot be scanned
222230 Files not concerned
2423 Archives were scanned
90 Warnings
14 Notes
8043 Objects were scanned with rootkit scan
11 Hidden objects were found




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users