Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer acting strangely.


  • This topic is locked This topic is locked
5 replies to this topic

#1 S. Langfield

S. Langfield

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 13 September 2009 - 08:47 PM

Some basic information before I continue: OS is Windows XP SP2, anti-virus is AVG Free, and my firewall is Comodo Pro. Additionally, I have Malware Bytes as anti-malware.

This is a continuation of an unanswered thread I posted on Aug 7th. Since then, my problems have changed, so the old thread has been deleted. Here's a brief recap of that thread: I posted about a potential malware infection on my computer. It basically wiped out my Comodo Firewall, shutting down every part of it, and redirected me to sites like shopica.com when I tried to do a search on Google. When I rebooted my computer, my internet access was gone (as in I wasn't connected at all), and when I clicked on My Network Places to try and reconnect, I was presented with a window stating my computer would shut down because the "DCOM Service Process Launcher Terminated Unexpectedly." When I scanned my computer for malware using AVG Free's scanner and Malware Bytes, there was nothing. Suspecting MSblaster, I transferred over a program (from Symantec) that found and rooted out that specific virus, but it too found nothing. I have tried to go back to the Last Known Good Configuration, but the problem remains. That was basically my situation as of Aug 7th.

Situation as of now: Since then, I've discovered additional problems on my computer. It refuses to read CDs anymore or flash drives. That combined with no internet access has made transferring anything between computers to be impossible. I have also lost sound, as in the computer does not detect speakers anymore. Additionally, a program (in particular OpenOffice, although there may be more) terminates at random times when I have it open.

What I'd Like: I am aware that a "one problem, one post" method would help you all tremendously, but I don't know if the multitude of things affecting my computer are all separate problems or the result of a single malware attack--if it is malware at all. If you would like to focus on one problem at a time, just let me know which and I'll be happy to repost my other troubles at a later date. Finally, if there doesn't seem to be any solution to my problem other than wiping everything, I'm willing to do so, albeit very reluctantly. There's nothing on this computer that is absolutely essential to me, like bank information or the like, only things of sentimental value. I would just need to know how to wipe everything, as I've never had to do it before.

Thanks for your time. I'm at my wit's end here.

Edited by S. Langfield, 13 September 2009 - 08:49 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 13 September 2009 - 10:24 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 S. Langfield

S. Langfield
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 14 September 2009 - 04:03 PM

Thanks for the help! A bit of good news, at least: it turns out my computer can read a flash drive. I just didn't have the drivers. Going through the Control Panel and using Add New Hardware made it work. Also, when I ran RootRepeal on my computer, a window appeared instead, reading: "Could not read the boot sector. Try adjusting the disk access level with the options dialog." I clicked OK and the same window appeared again. I had to click OK at least five more times before those windows went away RootRepeal started, but eventually I was able to scan. Results are below.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 16:39
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8443000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79A7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7BC9000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ytasfwdnossrpu.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ytasfweybakmtn.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ytasfwqshacaly.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\ytasfwvpuxyycv.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\ytasfwowuydgxt.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\Dc32.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\36_-_zero-two.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\Dc45.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\undr_wtv.mid:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc31.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\01KNIG~1.MP3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc22.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc23.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc24.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc25.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc26.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc27.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\03_-_storm_and_fire.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\03_-_storm_and_fire.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\03_-_storm_and_fire.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\03_-_storm_and_fire.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\03_-_storm_and_fire.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\03_-_storm_and_fire.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc28.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc30.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\112UNA~1.MP3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\112UNA~1.MP3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc33.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc34.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc35.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc19.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\egao no wake.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\egao no wake.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\egao no wake.mp3:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc43.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Music\More Music\Dc44.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\Tired Prog\1134 - Hackwork\Copy of Pokemon:Zone.Identifier
Status: Invisible to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7f68

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7472

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7b0c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb84e4

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7150

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb91f0

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb94c8

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb6d16

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb814e

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb82fe

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb6a78

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb8e72

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb76f6

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7d50

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb67a8

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7986

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb6920

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb88aa

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb726e

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb8c0e

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb9020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb86aa

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb7690

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb787a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb701a

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eb6ee8

Stealth Objects
-------------------
Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: services.exe (PID: 688) Address: 0x00650000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: lsass.exe (PID: 700) Address: 0x00750000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 860) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwqshacaly.dll]
Process: svchost.exe (PID: 860) Address: 0x00a50000 Size: 53248

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 944) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: cmdagent.exe (PID: 984) Address: 0x00e70000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 1056) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: MsMpEng.exe (PID: 1096) Address: 0x00720000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 1264) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 1456) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: Explorer.EXE (PID: 1468) Address: 0x00c50000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 1612) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: avgwdsvc.exe (PID: 1892) Address: 0x00670000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: MDM.EXE (PID: 1952) Address: 0x009f0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: svchost.exe (PID: 144) Address: 0x00760000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: WLService.exe (PID: 372) Address: 0x00910000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: Tablet.exe (PID: 392) Address: 0x008a0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: WUSB54Gv4.exe (PID: 400) Address: 0x00cd0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: avgemc.exe (PID: 488) Address: 0x00820000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: avgrsx.exe (PID: 608) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: TabUserW.exe (PID: 1224) Address: 0x003f0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: avgcsrvx.exe (PID: 1412) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: Tablet.exe (PID: 1424) Address: 0x003f0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: hpsysdrv.exe (PID: 2636) Address: 0x008a0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: hphmon06.exe (PID: 2660) Address: 0x00a50000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: AGRSMMSG.exe (PID: 2676) Address: 0x00a40000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: ALCWZRD.EXE (PID: 2684) Address: 0x003d0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: Acrotray.exe (PID: 2716) Address: 0x00a40000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: realsched.exe (PID: 2736) Address: 0x003b0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: MSASCui.exe (PID: 2744) Address: 0x00c70000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: avgtray.exe (PID: 2764) Address: 0x003f0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: InfoMyCa.exe (PID: 2784) Address: 0x00990000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: cfp.exe (PID: 2808) Address: 0x01380000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: ctfmon.exe (PID: 2840) Address: 0x008e0000 Size: 28672

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: RealPlay.exe (PID: 3068) Address: 0x003d0000 Size: 28672

Object: Hidden Module [Name: rnqu3270.dll]
Process: RealPlay.exe (PID: 3068) Address: 0x61eb0000 Size: 307200

Object: Hidden Module [Name: ytasfwvpuxyycv.dll]
Process: RootRepeal.exe (PID: 2308) Address: 0x10000000 Size: 28672

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb2a4

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb9c8

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb3d8

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb888

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb518

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb64c

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb124

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eba376

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebadf4

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb786

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebab62

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebaca4

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eba846

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eba0ae

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eba4f8

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eba6a4

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebaf44

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebaa08

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebb03a

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8eba21e

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebba2e

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa8ebbc62

==EOF==

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 14 September 2009 - 04:45 PM

I think it's time to head on over to the HijackThis forum for a closer look.

Preparation Guide for use before posting a HijackThis Log

Go straight to Step 6. If you cannot get DDS to run just post your RootRepeal log.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 S. Langfield

S. Langfield
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:38 PM

Posted 14 September 2009 - 07:08 PM

Posted in the appropriate forum. Thanks. :thumbsup:

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,947 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:38 PM

Posted 14 September 2009 - 09:23 PM

Hello,

Now comes the hard and frustrating part: waiting.

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/257648/computer-not-working-properly-mbr-rootkit/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users