Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rootkit and other infections


  • This topic is locked This topic is locked
7 replies to this topic

#1 ashoka149

ashoka149

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:17 PM

Posted 06 September 2009 - 01:01 PM

Hi friends

I have had problems with these infections for the last 6 weeks.

I have run many antivirus programmes as advised on the 'am I infected forum'.

As the symptoms were persisiting I was asked to post on this HJT forum. Unfortunately on the same day, when I restarted my computer, I found that I was being asked for a password for my account.This applies to all the accounts on the computer. I cant get in in safe mode as well into any account including the administrator.

Trouble is I have never set passwords for any account on the computer. The virus appeares to have triggered off this problem.

I have windows XP home, with athalon 4400.

I have attached a link to previous communications with your colleague who had kindly tried to help me.

Is there anything I can do?

Please help.

http://www.bleepingcomputer.com/forums/t/244051/clicking-on-google-links-leads-me-to-ebay-and-other-sites/

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:17 PM

Posted 06 September 2009 - 01:28 PM

Hello ashoka149

As Rigel said before, you have a real nasty infection that is almost impossible to get rid of
Please try to follow the HJT preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
If you cannot produce a DDS log please post back here so we can try something else

Edited by garmanma, 06 September 2009 - 01:28 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:17 PM

Posted 06 September 2009 - 01:59 PM

hi garmanma

Thanks for getting back so soon.

Problem is I cant get past the windows page with the different accounts icons. I dont have a password set for any of the accouts and the computer is now asking for a password for all the accounts including in safe mode. I have the recovery console available but must confess that I have never used it before. Can I get tosystem restore through this console?

If this is an impossible situation then any advice on how best to reinstall the os would be very helpful

I have the os plus other software got from the manufacturer on a hidden drive which can be used to get back factory settings using F10 key. I also have the original OEM XP home disc from the manufacturer of the PC. But I wont have other software on it.

Any advice would be gratefully accepted.

I am using my sons laptop to communicate with you.

ashoka 149

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:17 PM

Posted 06 September 2009 - 06:59 PM

I have the recovery console available but must confess that I have never used it before.

http://support.microsoft.com/kb/307654
http://support.microsoft.com/kb/314058
If it asks for a password, just hit Enter

Is this a Dell?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:17 PM

Posted 07 September 2009 - 01:34 AM

Hi

It is manufactured by MESH computers in the UK.

If I hit enter when asked for a password I get an error message

'Logon message' in title bar of message

Yellow triangle with an exclamation mark and 'unable to log you on because of an account restriction'.

If I click on the OK button at the bottom of this message I go back to the accounts page and there is a message ' did you forget your password.?
Type your password again. Be sure to check upper and lower case.'

ashoka149

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:17 PM

Posted 07 September 2009 - 06:47 PM

I would recommend that you just go ahead and use the recovery option on your computer
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 ashoka149

ashoka149
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:17 PM

Posted 08 September 2009 - 03:33 PM

hi garmanma

I did as suggested.

I used the recovery wizard on a hidden partition on the hard drive and restored to factory settings. Unfortunately I have not been able to format the C drive as the hidden partition is in the C drive and I am wondering if this will be also deleted if I format.

Soon after getting factory settings, I have installed norton internet security and then connected up the broad band modem.

I downloaded updates for norton. I then downloaded some updates for windows. When I installed win XP service pack 3 and rebooted I was down loading some more updates when the computer reverted back to powersave mode and the screen went blank except for the windows icon.

When I moved the mouse I got back the windows page with the user accounts displayed. When i tried to get into my account the password that I had set did not work!!! The other accounts were also asking for passwords again although none were set.

I rebooted to safe mode and luckily was able to get in through the administrator account with no password set. I have since removed all passwords and have generated a password reset disk for my account.

I have downloaded DDS and Root Repeal and have generated logs which I have attached. One other thing: after I ran these two scans I notice a new icon on the desktop named settings. It is a .DAT file and cant be opened. Is this something expected to happen with either of these two files?

I am worried that the infection is not completely gone. Please look at the logs and let me know what you think. I will download malware bytes and run a scan later as well.

Many thanks again for your help.



DDS (Ver_09-07-30.01) - NTFSx86
Run by ashoka at 21:12:09.06 on 08/09/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1579 [GMT 1:00]

AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\ashoka\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.skybroadband.com
uWindow Title = Windows Internet Explorer provided by Sky Broadband
mWindow Title = Tiscali Internet Access
uInternet Settings,ProxyOverride = <local>
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.0.0.125\IPSBHO.DLL
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.0.0.125\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_04\bin\jusched.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [CARPService] carpserv.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime
mRun: [CTSysVol] c:\program files\creative\sbaudigy2zs\surround mixer\CTSysVol.exe /r
mRun: [CTDVDDET] c:\program files\creative\sbaudigy2zs\dvdaudio\CTDVDDET.EXE
mRun: [CTHelper] CTHELPER.EXE
mRun: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
mRun: [SBDrvDet] c:\program files\creative\sb drive det\SBDrvDet.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aticat~1.lnk - c:\program files\ati technologies\ati.ace\CLI.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252434280562
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1000000.07d\SymEFA.sys [2009-9-8 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1000000.07d\BHDrvx86.sys [2009-9-8 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1000000.07d\ccHPx86.sys [2009-9-8 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090904.002\IDSXpx86.sys [2009-9-8 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [2009-9-8 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-7 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090907.050\NAVENG.SYS [2009-9-7 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090907.050\NAVEX15.SYS [2009-9-7 1323568]
S3 cpuz;cpuz;\??\f:\cpuz.sys --> f:\cpuz.sys [?]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-21 89749]

=============== Created Last 30 ================

2009-09-08 20:21 <DIR> --d----- c:\program files\MSXML 4.0
2009-09-08 20:20 512,000 -c------ c:\windows\system32\dllcache\jscript.dll
2009-09-08 20:19 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 20:17 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-09-08 20:16 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-09-08 20:11 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-09-08 20:09 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-09-08 20:09 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2009-09-08 20:09 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-09-08 20:09 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-09-08 20:08 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-09-08 20:08 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-09-08 20:07 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-09-08 19:53 <DIR> --d----- c:\windows\system32\scripting
2009-09-08 19:53 <DIR> --d----- c:\windows\l2schemas
2009-09-08 19:53 <DIR> --d----- c:\windows\system32\en
2009-09-08 19:53 <DIR> --d----- c:\windows\system32\bits
2009-09-08 19:50 <DIR> --d----- c:\windows\ServicePackFiles
2009-09-08 19:47 <DIR> --d----- c:\windows\network diagnostic
2009-09-08 19:44 <DIR> --d----- c:\windows\EHome
2009-09-08 19:25 31,768 a------- c:\windows\system32\wucltui.dll.mui
2009-09-08 19:25 23,576 a------- c:\windows\system32\wuaucpl.cpl.mui
2009-09-08 19:25 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-09-08 19:25 18,456 a------- c:\windows\system32\wuaueng.dll.mui
2009-09-08 19:25 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-09-08 19:13 463 a------- c:\windows\system32\CTHELPER.RPT
2009-09-08 19:09 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-09-08 19:05 12,598 a------- c:\windows\system32\wpa.bak
2009-09-08 19:02 <DIR> --d----- c:\program files\Sky Broadband
2009-09-08 18:47 35,888 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-09-08 18:47 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-08 18:47 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-09-08 18:47 10,635 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-09-08 18:47 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-09-08 18:47 <DIR> --d----- c:\program files\Symantec
2009-09-08 18:47 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-09-08 18:46 <DIR> --d----- c:\windows\system32\drivers\NIS
2009-09-08 18:46 <DIR> --d----- c:\program files\Norton Internet Security
2009-09-08 18:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-09-08 18:45 <DIR> --d----- c:\program files\NortonInstaller
2009-09-08 18:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-09-08 18:32 <DIR> --d----- c:\documents and settings\ashoka

==================== Find3M ====================

2009-09-08 19:55 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-29 05:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-29 05:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 17:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-12 13:31 76,288 a------- c:\windows\system32\telnet.exe

============= FINISH: 21:12:22.51 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/08 21:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA90BA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5E4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA5D3C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9EB0000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090907.050\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a3b1c08

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a3a1710

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a3ed630

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8a3f07c0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x891362b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9423020

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89f84c78

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8a6742c8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x89fee330

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8a3ef640

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa94232a0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9423800

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8a389cc0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89fcf120

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a3e7f68

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a3b06f0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a3805d8

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x89fc97a0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a3d5310

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89d3a800

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8a344ab0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8a3e0240

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89fb94e0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a6970c8

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a32c228

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a38ca90

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89fa9b38

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8a40d8a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa9423a50

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a3dd5c0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a39efa8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8a33a350

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a38ec50

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a3481d0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a40f608

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a3c13e8

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a3c35b0

#: 415 Function Name: NtUserGetKeyNameText
Status: Hooked by "<unknown>" at address 0x8a3443e8

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x8a3c7700

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x89fc5100

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x89fc0550

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89061668

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8a29ac08

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8a3bf380

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x89fc2518

==EOF==

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:17 PM

Posted 08 September 2009 - 06:26 PM

Now that you were able to produce logs, you need to post them in our specialized forum here:

http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

-------------------------------------------------------
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.


To avoid confusion, I am closing this topic.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users