Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked Hosts file


  • This topic is locked This topic is locked
4 replies to this topic

#1 Mr_Ed

Mr_Ed

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 19 September 2009 - 04:29 PM

I have seen a few other posts that seem to be the same issue I am having but was instructed to start my own post. Whenever I try to go to google.com I am redirecyted to google.ca. lso When I try to login to gmail i get a page load error. I have run Hijackthis and HostsXpert but both programs state that they can not edit my hosts file and instruct me to do it manually. I have tried to load it in notepad but after editing it wil not let me save the file.

Attached is a copy of my hijacked hosts file:
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
64.86.17.32 google.ae
64.86.17.32 google.as
64.86.17.32 google.at
64.86.17.32 google.az
64.86.17.32 google.ba
64.86.17.32 google.be
64.86.17.32 google.bg
64.86.17.32 google.bs
64.86.17.32 google.ca
64.86.17.32 google.cd
64.86.17.32 google.com.gh
64.86.17.32 google.com.hk
64.86.17.32 google.com.jm
64.86.17.32 google.com.mx
64.86.17.32 google.com.my
64.86.17.32 google.com.na
64.86.17.32 google.com.nf
64.86.17.32 google.com.ng
64.86.17.32 google.ch
64.86.17.32 google.com.np
64.86.17.32 google.com.pr
64.86.17.32 google.com.qa
64.86.17.32 google.com.sg
64.86.17.32 google.com.tj
64.86.17.32 google.com.tw
64.86.17.32 google.dj
64.86.17.32 google.de
64.86.17.32 google.dk
64.86.17.32 google.dm
64.86.17.32 google.ee
64.86.17.32 google.fi
64.86.17.32 google.fm
64.86.17.32 google.fr
64.86.17.32 google.ge
64.86.17.32 google.gg
64.86.17.32 google.gm
64.86.17.32 google.gr
64.86.17.32 google.ht
64.86.17.32 google.ie
64.86.17.32 google.im
64.86.17.32 google.in
64.86.17.32 google.it
64.86.17.32 google.ki
64.86.17.32 google.la
64.86.17.32 google.li
64.86.17.32 google.lv
64.86.17.32 google.ma
64.86.17.32 google.ms
64.86.17.32 google.mu
64.86.17.32 google.mw
64.86.17.32 google.nl
64.86.17.32 google.no
64.86.17.32 google.nr
64.86.17.32 google.nu
64.86.17.32 google.pl
64.86.17.32 google.pn
64.86.17.32 google.pt
64.86.17.32 google.ro
64.86.17.32 google.ru
64.86.17.32 google.rw
64.86.17.32 google.sc
64.86.17.32 google.se
64.86.17.32 google.sh
64.86.17.32 google.si
64.86.17.32 google.sm
64.86.17.32 google.sn
64.86.17.32 google.st
64.86.17.32 google.tl
64.86.17.32 google.tm
64.86.17.32 google.tt
64.86.17.32 google.us
64.86.17.32 google.vu
64.86.17.32 google.ws
64.86.17.32 google.co.ck
64.86.17.32 google.co.id
64.86.17.32 google.co.il
64.86.17.32 google.co.in
64.86.17.32 google.co.jp
64.86.17.32 google.co.kr
64.86.17.32 google.co.ls
64.86.17.32 google.co.ma
64.86.17.32 google.co.nz
64.86.17.32 google.co.tz
64.86.17.32 google.co.ug
64.86.17.32 google.co.uk
64.86.17.32 google.co.za
64.86.17.32 google.co.zm
64.86.17.32 google.com
64.86.17.32 google.com.af
64.86.17.32 google.com.ag
64.86.17.32 google.com.ar
64.86.17.32 google.com.au
64.86.17.32 google.com.bn
64.86.17.32 google.com.br
64.86.17.32 google.com.by
64.86.17.32 google.com.bz
64.86.17.32 google.com.cu
64.86.17.32 google.com.ec
64.86.17.32 google.com.fj
64.86.17.32 www.google.ae
64.86.17.32 www.google.as
64.86.17.32 www.google.at
64.86.17.32 www.google.az
64.86.17.32 www.google.ba
64.86.17.32 www.google.be
64.86.17.32 www.google.bg
64.86.17.32 www.google.bs
64.86.17.32 www.google.ca
64.86.17.32 www.google.cd
64.86.17.32 www.google.com.gh
64.86.17.32 www.google.com.hk
64.86.17.32 www.google.com.jm
64.86.17.32 www.google.com.mx
64.86.17.32 www.google.com.my
64.86.17.32 www.google.com.na
64.86.17.32 www.google.com.nf
64.86.17.32 www.google.com.ng
64.86.17.32 www.google.ch
64.86.17.32 www.google.com.np
64.86.17.32 www.google.com.pr
64.86.17.32 www.google.com.qa
64.86.17.32 www.google.com.sg
64.86.17.32 www.google.com.tj
64.86.17.32 www.google.com.tw
64.86.17.32 www.google.dj
64.86.17.32 www.google.de
64.86.17.32 www.google.dk
64.86.17.32 www.google.dm
64.86.17.32 www.google.ee
64.86.17.32 www.google.fi
64.86.17.32 www.google.fm
64.86.17.32 www.google.fr
64.86.17.32 www.google.ge
64.86.17.32 www.google.gg
64.86.17.32 www.google.gm
64.86.17.32 www.google.gr
64.86.17.32 www.google.ht
64.86.17.32 www.google.ie
64.86.17.32 www.google.im
64.86.17.32 www.google.in
64.86.17.32 www.google.it
64.86.17.32 www.google.ki
64.86.17.32 www.google.la
64.86.17.32 www.google.li
64.86.17.32 www.google.lv
64.86.17.32 www.google.ma
64.86.17.32 www.google.ms
64.86.17.32 www.google.mu
64.86.17.32 www.google.mw
64.86.17.32 www.google.nl
64.86.17.32 www.google.no
64.86.17.32 www.google.nr
64.86.17.32 www.google.nu
64.86.17.32 www.google.pl
64.86.17.32 www.google.pn
64.86.17.32 www.google.pt
64.86.17.32 www.google.ro
64.86.17.32 www.google.ru
64.86.17.32 www.google.rw
64.86.17.32 www.google.sc
64.86.17.32 www.google.se
64.86.17.32 www.google.sh
64.86.17.32 www.google.si
64.86.17.32 www.google.sm
64.86.17.32 www.google.sn
64.86.17.32 www.google.st
64.86.17.32 www.google.tl
64.86.17.32 www.google.tm
64.86.17.32 www.google.tt
64.86.17.32 www.google.us
64.86.17.32 www.google.vu
64.86.17.32 www.google.ws
64.86.17.32 www.google.co.ck
64.86.17.32 www.google.co.id
64.86.17.32 www.google.co.il
64.86.17.32 www.google.co.in
64.86.17.32 www.google.co.jp
64.86.17.32 www.google.co.kr
64.86.17.32 www.google.co.ls
64.86.17.32 www.google.co.ma
64.86.17.32 www.google.co.nz
64.86.17.32 www.google.co.tz
64.86.17.32 www.google.co.ug
64.86.17.32 www.google.co.uk
64.86.17.32 www.google.co.za
64.86.17.32 www.google.co.zm
64.86.17.32 www.google.com
64.86.17.32 www.google.com.af
64.86.17.32 www.google.com.ag
64.86.17.32 www.google.com.ar
64.86.17.32 www.google.com.au
64.86.17.32 www.google.com.bn
64.86.17.32 www.google.com.br
64.86.17.32 www.google.com.by
64.86.17.32 www.google.com.bz
64.86.17.32 www.google.com.cu
64.86.17.32 www.google.com.ec
64.86.17.32 www.google.com.fj
64.86.17.32 google.com
64.86.17.32 www.google.com
64.86.17.32 bing.com
64.86.17.32 www.bing.com
64.86.17.32 search.yahoo.com
64.86.17.32 www.search.yahoo.com
64.86.17.32 search.live.com
64.86.17.32 search.msn.com

Any help would be appreciated.

Thanks

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:34 AM

Posted 20 September 2009 - 08:46 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Riight-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Mr_Ed

Mr_Ed
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 21 September 2009 - 12:14 AM

garmanma: Thanks for the reply. Here is the log from RootRepeal:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/20 21:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA302000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A72000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7650
Image Path: \Driver\PCI_PNP7650
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spup.sys
Image Path: spup.sys
Address: 0xF734A000 Size: 1036288 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\documents and settings\owner\application data\utorrent\resume.dat
Status: Size mismatch (API: 49288, Raw: 49348)

Path: C:\Documents and Settings\Owner\Application Data\uTorrent\resume.dat.old
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x86160d60

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x86161f00

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86160260

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x86160520

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86161bc0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x861612e0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x861615a0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spup.sys" at address 0xf7368ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spup.sys" at address 0xf7369030

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x86161d60

#: 119 Function Name: NtOpenKey
Status: Hooked by "spup.sys" at address 0xf734b0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x861607e0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spup.sys" at address 0xf7369108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spup.sys" at address 0xf7368f88

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x861620a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x86161020

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86160aa0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86161a20

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86d721f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8611e1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86b8b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86ddc1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8664c1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8664c1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8664c1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8664c1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8664c1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8664c1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86b5d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x864831f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x864831f8 Size: 121

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x86162700

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x86162520

==EOF==

Also another issue I have discovered in playing with this machine is that it will not allow me to alt-ctrl-del. I have tried Stopzilla and Trend Micro Internet Security and both programs detect the problem and claim to remove it but the problem remains.

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:34 AM

Posted 21 September 2009 - 06:19 PM

Save this log. I'm going to recommend submitting a HJT log
Start at Step 6 and run whatever scan you can


Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

There will also be instructions to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Mr_Ed

Mr_Ed
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 22 September 2009 - 05:51 PM

Thanks again for the help. I think I will just format and reinstall it tonight rather then spend the night running logs and waiting for an answer.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users