Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit? Google/Bing redirect, Can


  • This topic is locked This topic is locked
3 replies to this topic

#1 off5pring91

off5pring91

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 07 September 2009 - 12:24 AM

I think something is severely infected, I am unable to run any scans (including Malware Bytes, Super AntiSpyware, RootRepeal file scan, even the dds.scr)

RootRepeal Scan: ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/06 23:59
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEDF0E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B69000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruiwuujvouh.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruiwuujvouh.sys
Address: 0xEE197000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PCI_PNP3994
Image Path: \Driver\PCI_PNP3994
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6DC4000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spby.sys
Image Path: spby.sys
Address: 0xF740F000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF78B9000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xEE01D000 Size: 61440 File Visible: No Signed: -
Status: -

==EOF==

Edited by off5pring91, 07 September 2009 - 12:26 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:30 AM

Posted 08 September 2009 - 02:29 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.




Please download and run Win32kDiag:
Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========

Please post the following logs in your next reply:

* Win32kDiag.txt
* Log.txt
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 off5pring91

off5pring91
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 08 September 2009 - 02:55 PM

Hi,

Thanks for your offer to help. However, the rootkit/virus deteriorated so quickly that overnight it got to the point where I was unable to open or run any programs, including my wireless connector. Therefore, I just completed a complete system restore this morning.

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:30 AM

Posted 09 September 2009 - 12:07 PM

Ok, thank you for the follow up post. :(

This thread will now be closed.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users