Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootRepeal Caused System Crash


  • Please log in to reply
12 replies to this topic

#1 Wendy K. Walker

Wendy K. Walker

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 22 November 2009 - 12:11 AM

Hi All,

Sometime back I had downloaded RootRepeal.exe, can't say I remember why I had downloaded it but it was probably out of curiosity to see what it did. Anyway I know that I had ran it and that it had generated a log, though I have no idea where to look for that log.

That brings me up to today. I have been thinking that I might have something living in my PC that shouldn't be there and feeling the need to start a topic addressing my concerns.

I don't know if it was due to my server lack of RAM or to the presents of something evil in my system, however, whichever it was I was unable to update, or even open, SpyBot Search & Destroy 99% of the time so I finally uninstalled it. I'm also having that same kind of trouble with MalwareBytes, but at least I can get it to open half the time and I've been able to get it to update a couple of times too.

Now, having said that, I decided to go ahead and start a topic and see what I could discover.

I just attempted to run RootRepeal, so that I would have its log to attach to this post, and my system crashed. After an automatic reboot completed I tried to run it again..., and once again my system crashed.

This time I went into Safe Mode when my machine started to reboot. Once again I tried running RootRepeal, and once again my machine crashed.

This time I interrupted the automatic reboot and selected the option to reboot to Last Known Good Configuration. Once Windows opened I had a Microsoft advisory saying that Windows had just recovered from a critical error. I sent an error report and followed the link they suggested I follow to see what might have caused those crashes.

The one thing that caught my eye was the statement that said Viruses can cause crashes like that to happen. I'm more concerned now as my Anti-Virus scanner hasn't been detecting anything and I run it at least once a week.

Anybody have any suggestions as to what my next step should be here?

Thanks for any input.

EDIT: I opened the Properties for the copy of RootRepeal that I have on my desktop and at the bottom of the General Tab was a security warning that said; "This file came from another computer and might be blocked to help protect this computer". There was also an option button to Unblock. Is that normal?

Wendy

Edited by Wendy K. Walker, 22 November 2009 - 12:23 AM.

TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:59 PM

Posted 23 November 2009 - 08:30 PM

Sometime back I had downloaded RootRepeal.exe,


I would uninstall it and start over


:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

============================

:flowers:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup:
Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 25 November 2009 - 03:09 AM

Hi garmanma, Thanks for the reply.

As of right this moment I am no longer "Wondering" if something evil has sneaked into my machine, I am certain of it.

I followed your advice and deleted the copy of RootRepeal that I had and got a fresh copy from the preferred download site.When I tried to run it my system crashed.

I got into Safe Mode as the automatic reboot started and renamed RootRepeal as you recommended. The program started with no problem but I couldn't remember the steps you had said to follow so I closed the program and rebooted into Standard Mode, snagged your instructions, rebooted back into safe Mode and attempted to run the program again.

And once again my system crashed.

I rebooted back into Safe Mode, renamed the program, opened it and ran it with no problem. Whatever it is lurking in my PC is pretty darn smart.

When I finished and booted back into Standard Mode I had the Microsoft message stating that the system had recovered from a serious error. I didn't send the error report but I did open that notice up to get a look at the technical data. I did a screen capture of that if you need to see it.

When I tried to do the Start>Run thing with that code I got a message back saying that Windows could not find Dir..., huh-oh :thumbsup: *feeling really blond here* I just realized that I did that wrong. Got it right now though.

Here are the logs that you requested. Let me know if I goofed and these have to be done in Standard Mode and I'll try to get them done over.

RootRepeal ran in Safe Mode:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/25 06:37
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xFC537000 Size: 187776 File Visible: - Signed: Yes
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xFC626000 Size: 35840 File Visible: - Signed: Yes
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xFC5E6000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xFC4EF000 Size: 96512 File Visible: - Signed: Yes
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xFCAA8000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xFC996000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xFC6E6000 Size: 63744 File Visible: - Signed: Yes
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xFC636000 Size: 62976 File Visible: - Signed: Yes
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xFC5C6000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xFC5B6000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xFC4AA000 Size: 75968 File Visible: - Signed: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xFC177000 Size: 98304 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFCAB6000 Size: 8192 File Visible: No Signed: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xFCA46000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: Yes
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xFCB6D000 Size: 4096 File Visible: - Signed: Yes
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xFC22F000 Size: 143744 File Visible: - Signed: Yes
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xFC916000 Size: 27392 File Visible: - Signed: Yes
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xFC8E6000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xFC4CF000 Size: 129792 File Visible: - Signed: Yes
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xFCAA4000 Size: 7936 File Visible: - Signed: Yes
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xFC507000 Size: 125056 File Visible: - Signed: Yes
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: Yes
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xFC6D6000 Size: 36864 File Visible: - Signed: Yes
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xFC8F6000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xFC370000 Size: 10368 File Visible: - Signed: Yes
Status: -

Name: HPZius12.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Address: 0xFC976000 Size: 21568 File Visible: - Signed: Yes
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xFC606000 Size: 52480 File Visible: - Signed: Yes
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xFC616000 Size: 42112 File Visible: - Signed: Yes
Status: -

Name: inspect.sys
Image Path: inspect.sys
Address: 0xFC3F4000 Size: 72832 File Visible: - Signed: Yes
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xFCA8C000 Size: 5504 File Visible: - Signed: Yes
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xFC586000 Size: 37248 File Visible: - Signed: Yes
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xFC866000 Size: 24576 File Visible: - Signed: Yes
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xFC360000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xFCA86000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xFC331000 Size: 143360 File Visible: - Signed: Yes
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xFC493000 Size: 92928 File Visible: - Signed: Yes
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xFC906000 Size: 23040 File Visible: - Signed: Yes
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xFC358000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xFC596000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xFC94E000 Size: 19072 File Visible: - Signed: Yes
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xFCA36000 Size: 15488 File Visible: - Signed: Yes
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xFC3AD000 Size: 105344 File Visible: - Signed: Yes
Status: -

Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xFC936000 Size: 25344 File Visible: - Signed: No
Status: -

Name: NDIS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NDIS.SYS
Address: 0xFC3C7000 Size: 182656 File Visible: - Signed: Yes
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xFC95E000 Size: 30848 File Visible: - Signed: Yes
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xFC406000 Size: 574976 File Visible: - Signed: Yes
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xFCB7B000 Size: 2944 File Visible: - Signed: Yes
Status: -

Name: nv_agp.sys
Image Path: nv_agp.sys
Address: 0xFC99E000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xFC80E000 Size: 19712 File Visible: - Signed: Yes
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xFC526000 Size: 68224 File Visible: - Signed: Yes
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xFCB4E000 Size: 3328 File Visible: - Signed: Yes
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xFC806000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xFCA22000 Size: 8768 File Visible: - Signed: No
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xFC99A000 Size: 15712 File Visible: - Signed: No
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xFC646000 Size: 57600 File Visible: - Signed: Yes
Status: -

Name: SISAGP.sys
Image Path: SISAGP.sys
Address: 0xFC81E000 Size: 27136 File Visible: - Signed: Yes
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xFC4BD000 Size: 73472 File Visible: - Signed: Yes
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xFCA94000 Size: 5536 File Visible: - Signed: No
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xFC90E000 Size: 22912 File Visible: - Signed: No
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xFCA9C000 Size: 4352 File Visible: - Signed: Yes
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xFC816000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xFC656000 Size: 40704 File Visible: - Signed: Yes
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xFC2AF000 Size: 384768 File Visible: - Signed: Yes
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xFC8D6000 Size: 32128 File Visible: - Signed: Yes
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xFCAA0000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xFC666000 Size: 59520 File Visible: - Signed: Yes
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xFC30D000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xFC966000 Size: 25856 File Visible: - Signed: Yes
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xFC986000 Size: 20608 File Visible: - Signed: Yes
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xFC926000 Size: 20992 File Visible: - Signed: Yes
Status: -

Name: vga256.dll
Image Path: C:\WINDOWS\System32\vga256.dll
Address: 0xBFF50000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xFC5D6000 Size: 42240 File Visible: - Signed: Yes
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xFCA8A000 Size: 5376 File Visible: - Signed: Yes
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xFC29B000 Size: 81920 File Visible: - Signed: Yes
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xFC5A6000 Size: 52352 File Visible: - Signed: Yes
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xFC89E000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: wendystoy.scr.sys
Image Path: C:\WINDOWS\system32\drivers\wendystoy.scr.sys
Address: 0xFC746000 Size: 49152 File Visible: No Signed: No
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: Yes
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: Yes
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xFCA88000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Hidden/Locked Files
-------------------
Path: C:\pagefile.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ADMIN\Local Settings\temp\etilqs_hWtOC6gwJejNiFPaubr5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\ADMIN\Local Settings\temp\etilqs_XCrd6CosG8hAO70J2HnW
Status: Allocation size mismatch (API: 4096, Raw: 0)

Processes
-------------------
PathSystem
PID: 4 Status: -

PathC:\WINDOWS\system32\smss.exe
PID: 128 Status: -

PathC:\WINDOWS\system32\csrss.exe
PID: 176 Status: -

PathC:\WINDOWS\system32\winlogon.exe
PID: 200 Status: -

PathC:\WINDOWS\system32\services.exe
PID: 244 Status: -

PathC:\WINDOWS\system32\lsass.exe
PID: 264 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 412 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 476 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 528 Status: -

PathC:\WINDOWS\explorer.exe
PID: 764 Status: -

PathC:\Documents and Settings\ADMIN\Desktop\wendystoy.scr
PID: 1052 Status: -

PathC:\Program Files\OpenOffice.org 3\program\swriter.exe
PID: 1080 Status: -

PathC:\Program Files\OpenOffice.org 3\program\soffice.exe
PID: 1088 Status: -

PathC:\Program Files\OpenOffice.org 3\program\soffice.bin
PID: 1096 Status: -

SSDT
-------------------
Stealth Objects
-------------------
Hidden Services
-------------------
Shadow SSDT
-------------------
#: 000 Function Name: NtGdiAbortDoc
Status: Not hooked

#: 001 Function Name: NtGdiAbortPath
Status: Not hooked

#: 002 Function Name: NtGdiAddFontResourceW
Status: Not hooked

#: 003 Function Name: NtGdiAddRemoteFontToDC
Status: Not hooked

#: 004 Function Name: NtGdiAddFontMemResourceEx
Status: Not hooked

#: 005 Function Name: NtGdiRemoveMergeFont
Status: Not hooked

#: 006 Function Name: NtGdiAddRemoteMMInstanceToDC
Status: Not hooked

#: 007 Function Name: NtGdiAlphaBlend
Status: Not hooked

#: 008 Function Name: NtGdiAngleArc
Status: Not hooked

#: 009 Function Name: NtGdiAnyLinkedFonts
Status: Not hooked

#: 010 Function Name: NtGdiFontIsLinked
Status: Not hooked

#: 011 Function Name: NtGdiArcInternal
Status: Not hooked

#: 012 Function Name: NtGdiBeginPath
Status: Not hooked

#: 013 Function Name: NtGdiBitBlt
Status: Not hooked

#: 014 Function Name: NtGdiCancelDC
Status: Not hooked

#: 015 Function Name: NtGdiCheckBitmapBits
Status: Not hooked

#: 016 Function Name: NtGdiCloseFigure
Status: Not hooked

#: 017 Function Name: NtGdiClearBitmapAttributes
Status: Not hooked

#: 018 Function Name: NtGdiClearBrushAttributes
Status: Not hooked

#: 019 Function Name: NtGdiColorCorrectPalette
Status: Not hooked

#: 020 Function Name: NtGdiCombineRgn
Status: Not hooked

#: 021 Function Name: NtGdiCombineTransform
Status: Not hooked

#: 022 Function Name: NtGdiComputeXformCoefficients
Status: Not hooked

#: 023 Function Name: NtGdiConsoleTextOut
Status: Not hooked

#: 024 Function Name: NtGdiConvertMetafileRect
Status: Not hooked

#: 025 Function Name: NtGdiCreateBitmap
Status: Not hooked

#: 026 Function Name: NtGdiCreateClientObj
Status: Not hooked

#: 027 Function Name: NtGdiCreateColorSpace
Status: Not hooked

#: 028 Function Name: NtGdiCreateColorTransform
Status: Not hooked

#: 029 Function Name: NtGdiCreateCompatibleBitmap
Status: Not hooked

#: 030 Function Name: NtGdiCreateCompatibleDC
Status: Not hooked

#: 031 Function Name: NtGdiCreateDIBBrush
Status: Not hooked

#: 032 Function Name: NtGdiCreateDIBitmapInternal
Status: Not hooked

#: 033 Function Name: NtGdiCreateDIBSection
Status: Not hooked

#: 034 Function Name: NtGdiCreateEllipticRgn
Status: Not hooked

#: 035 Function Name: NtGdiCreateHalftonePalette
Status: Not hooked

#: 036 Function Name: NtGdiCreateHatchBrushInternal
Status: Not hooked

#: 037 Function Name: NtGdiCreateMetafileDC
Status: Not hooked

#: 038 Function Name: NtGdiCreatePaletteInternal
Status: Not hooked

#: 039 Function Name: NtGdiCreatePatternBrushInternal
Status: Not hooked

#: 040 Function Name: NtGdiCreatePen
Status: Not hooked

#: 041 Function Name: NtGdiCreateRectRgn
Status: Not hooked

#: 042 Function Name: NtGdiCreateRoundRectRgn
Status: Not hooked

#: 043 Function Name: NtGdiCreateServerMetaFile
Status: Not hooked

#: 044 Function Name: NtGdiCreateSolidBrush
Status: Not hooked

#: 045 Function Name: NtGdiD3dContextCreate
Status: Not hooked

#: 046 Function Name: NtGdiD3dContextDestroy
Status: Not hooked

#: 047 Function Name: NtGdiD3dContextDestroyAll
Status: Not hooked

#: 048 Function Name: NtGdiD3dValidateTextureStageState
Status: Not hooked

#: 049 Function Name: NtGdiD3dDrawPrimitives2
Status: Not hooked

#: 050 Function Name: NtGdiDdGetDriverState
Status: Not hooked

#: 051 Function Name: NtGdiDdAddAttachedSurface
Status: Not hooked

#: 052 Function Name: NtGdiDdAlphaBlt
Status: Not hooked

#: 053 Function Name: NtGdiDdAttachSurface
Status: Not hooked

#: 054 Function Name: NtGdiDdBeginMoCompFrame
Status: Not hooked

#: 055 Function Name: NtGdiDdBlt
Status: Not hooked

#: 056 Function Name: NtGdiDdCanCreateSurface
Status: Not hooked

#: 057 Function Name: NtGdiDdCanCreateD3DBuffer
Status: Not hooked

#: 058 Function Name: NtGdiDdColorControl
Status: Not hooked

#: 059 Function Name: NtGdiDdCreateDirectDrawObject
Status: Not hooked

#: 060 Function Name: NtGdiDdCreateSurface
Status: Not hooked

#: 061 Function Name: NtGdiDdCreateD3DBuffer
Status: Not hooked

#: 062 Function Name: NtGdiDdCreateMoComp
Status: Not hooked

#: 063 Function Name: NtGdiDdCreateSurfaceObject
Status: Not hooked

#: 064 Function Name: NtGdiDdDeleteDirectDrawObject
Status: Not hooked

#: 065 Function Name: NtGdiDdDeleteSurfaceObject
Status: Not hooked

#: 066 Function Name: NtGdiDdDestroyMoComp
Status: Not hooked

#: 067 Function Name: NtGdiDdDestroySurface
Status: Not hooked

#: 068 Function Name: NtGdiDdDestroyD3DBuffer
Status: Not hooked

#: 069 Function Name: NtGdiDdEndMoCompFrame
Status: Not hooked

#: 070 Function Name: NtGdiDdFlip
Status: Not hooked

#: 071 Function Name: NtGdiDdFlipToGDISurface
Status: Not hooked

#: 072 Function Name: NtGdiDdGetAvailDriverMemory
Status: Not hooked

#: 073 Function Name: NtGdiDdGetBltStatus
Status: Not hooked

#: 074 Function Name: NtGdiDdGetDC
Status: Not hooked

#: 075 Function Name: NtGdiDdGetDriverInfo
Status: Not hooked

#: 076 Function Name: NtGdiDdGetDxHandle
Status: Not hooked

#: 077 Function Name: NtGdiDdGetFlipStatus
Status: Not hooked

#: 078 Function Name: NtGdiDdGetInternalMoCompInfo
Status: Not hooked

#: 079 Function Name: NtGdiDdGetMoCompBuffInfo
Status: Not hooked

#: 080 Function Name: NtGdiDdGetMoCompGuids
Status: Not hooked

#: 081 Function Name: NtGdiDdGetMoCompFormats
Status: Not hooked

#: 082 Function Name: NtGdiDdGetScanLine
Status: Not hooked

#: 083 Function Name: NtGdiDdLock
Status: Not hooked

#: 084 Function Name: NtGdiDdLockD3D
Status: Not hooked

#: 085 Function Name: NtGdiDdQueryDirectDrawObject
Status: Not hooked

#: 086 Function Name: NtGdiDdQueryMoCompStatus
Status: Not hooked

#: 087 Function Name: NtGdiDdReenableDirectDrawObject
Status: Not hooked

#: 088 Function Name: NtGdiDdReleaseDC
Status: Not hooked

#: 089 Function Name: NtGdiDdRenderMoComp
Status: Not hooked

#: 090 Function Name: NtGdiDdResetVisrgn
Status: Not hooked

#: 091 Function Name: NtGdiDdSetColorKey
Status: Not hooked

#: 092 Function Name: NtGdiDdSetExclusiveMode
Status: Not hooked

#: 093 Function Name: NtGdiDdSetGammaRamp
Status: Not hooked

#: 094 Function Name: NtGdiDdCreateSurfaceEx
Status: Not hooked

#: 095 Function Name: NtGdiDdSetOverlayPosition
Status: Not hooked

#: 096 Function Name: NtGdiDdUnattachSurface
Status: Not hooked

#: 097 Function Name: NtGdiDdUnlock
Status: Not hooked

#: 098 Function Name: NtGdiDdUnlockD3D
Status: Not hooked

#: 099 Function Name: NtGdiDdUpdateOverlay
Status: Not hooked

#: 100 Function Name: NtGdiDdWaitForVerticalBlank
Status: Not hooked

#: 101 Function Name: NtGdiDvpCanCreateVideoPort
Status: Not hooked

#: 102 Function Name: NtGdiDvpColorControl
Status: Not hooked

#: 103 Function Name: NtGdiDvpCreateVideoPort
Status: Not hooked

#: 104 Function Name: NtGdiDvpDestroyVideoPort
Status: Not hooked

#: 105 Function Name: NtGdiDvpFlipVideoPort
Status: Not hooked

#: 106 Function Name: NtGdiDvpGetVideoPortBandwidth
Status: Not hooked

#: 107 Function Name: NtGdiDvpGetVideoPortField
Status: Not hooked

#: 108 Function Name: NtGdiDvpGetVideoPortFlipStatus
Status: Not hooked

#: 109 Function Name: NtGdiDvpGetVideoPortInputFormats
Status: Not hooked

#: 110 Function Name: NtGdiDvpGetVideoPortLine
Status: Not hooked

#: 111 Function Name: NtGdiDvpGetVideoPortOutputFormats
Status: Not hooked

#: 112 Function Name: NtGdiDvpGetVideoPortConnectInfo
Status: Not hooked

#: 113 Function Name: NtGdiDvpGetVideoSignalStatus
Status: Not hooked

#: 114 Function Name: NtGdiDvpUpdateVideoPort
Status: Not hooked

#: 115 Function Name: NtGdiDvpWaitForVideoPortSync
Status: Not hooked

#: 116 Function Name: NtGdiDvpAcquireNotification
Status: Not hooked

#: 117 Function Name: NtGdiDvpReleaseNotification
Status: Not hooked

#: 118 Function Name: NtGdiDxgGenericThunk
Status: Not hooked

#: 119 Function Name: NtGdiDeleteClientObj
Status: Not hooked

#: 120 Function Name: NtGdiDeleteColorSpace
Status: Not hooked

#: 121 Function Name: NtGdiDeleteColorTransform
Status: Not hooked

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Not hooked

#: 123 Function Name: NtGdiDescribePixelFormat
Status: Not hooked

#: 124 Function Name: NtGdiGetPerBandInfo
Status: Not hooked

#: 125 Function Name: NtGdiDoBanding
Status: Not hooked

#: 126 Function Name: NtGdiDoPalette
Status: Not hooked

#: 127 Function Name: NtGdiDrawEscape
Status: Not hooked

#: 128 Function Name: NtGdiEllipse
Status: Not hooked

#: 129 Function Name: NtGdiEnableEudc
Status: Not hooked

#: 130 Function Name: NtGdiEndDoc
Status: Not hooked

#: 131 Function Name: NtGdiEndPage
Status: Not hooked

#: 132 Function Name: NtGdiEndPath
Status: Not hooked

#: 133 Function Name: NtGdiEnumFontChunk
Status: Not hooked

#: 134 Function Name: NtGdiEnumFontClose
Status: Not hooked

#: 135 Function Name: NtGdiEnumFontOpen
Status: Not hooked

#: 136 Function Name: NtGdiEnumObjects
Status: Not hooked

#: 137 Function Name: NtGdiEqualRgn
Status: Not hooked

#: 138 Function Name: NtGdiEudcLoadUnloadLink
Status: Not hooked

#: 139 Function Name: NtGdiExcludeClipRect
Status: Not hooked

#: 140 Function Name: NtGdiExtCreatePen
Status: Not hooked

#: 141 Function Name: NtGdiExtCreateRegion
Status: Not hooked

#: 142 Function Name: NtGdiExtEscape
Status: Not hooked

#: 143 Function Name: NtGdiExtFloodFill
Status: Not hooked

#: 144 Function Name: NtGdiExtGetObjectW
Status: Not hooked

#: 145 Function Name: NtGdiExtSelectClipRgn
Status: Not hooked

#: 146 Function Name: NtGdiExtTextOutW
Status: Not hooked

#: 147 Function Name: NtGdiFillPath
Status: Not hooked

#: 148 Function Name: NtGdiFillRgn
Status: Not hooked

#: 149 Function Name: NtGdiFlattenPath
Status: Not hooked

#: 150 Function Name: NtGdiFlushUserBatch
Status: Not hooked

#: 151 Function Name: NtGdiFlush
Status: Not hooked

#: 152 Function Name: NtGdiForceUFIMapping
Status: Not hooked

#: 153 Function Name: NtGdiFrameRgn
Status: Not hooked

#: 154 Function Name: NtGdiFullscreenControl
Status: Not hooked

#: 155 Function Name: NtGdiGetAndSetDCDword
Status: Not hooked

#: 156 Function Name: NtGdiGetAppClipBox
Status: Not hooked

#: 157 Function Name: NtGdiGetBitmapBits
Status: Not hooked

#: 158 Function Name: NtGdiGetBitmapDimension
Status: Not hooked

#: 159 Function Name: NtGdiGetBoundsRect
Status: Not hooked

#: 160 Function Name: NtGdiGetCharABCWidthsW
Status: Not hooked

#: 161 Function Name: NtGdiGetCharacterPlacementW
Status: Not hooked

#: 162 Function Name: NtGdiGetCharSet
Status: Not hooked

#: 163 Function Name: NtGdiGetCharWidthW
Status: Not hooked

#: 164 Function Name: NtGdiGetCharWidthInfo
Status: Not hooked

#: 165 Function Name: NtGdiGetColorAdjustment
Status: Not hooked

#: 166 Function Name: NtGdiGetColorSpaceforBitmap
Status: Not hooked

#: 167 Function Name: NtGdiGetDCDword
Status: Not hooked

#: 168 Function Name: NtGdiGetDCforBitmap
Status: Not hooked

#: 169 Function Name: NtGdiGetDCObject
Status: Not hooked

#: 170 Function Name: NtGdiGetDCPoint
Status: Not hooked

#: 171 Function Name: NtGdiGetDeviceCaps
Status: Not hooked

#: 172 Function Name: NtGdiGetDeviceGammaRamp
Status: Not hooked

#: 173 Function Name: NtGdiGetDeviceCapsAll
Status: Not hooked

#: 174 Function Name: NtGdiGetDIBitsInternal
Status: Not hooked

#: 175 Function Name: NtGdiGetETM
Status: Not hooked

#: 176 Function Name: NtGdiGetEudcTimeStampEx
Status: Not hooked

#: 177 Function Name: NtGdiGetFontData
Status: Not hooked

#: 178 Function Name: NtGdiGetFontResourceInfoInternalW
Status: Not hooked

#: 179 Function Name: NtGdiGetGlyphIndicesW
Status: Not hooked

#: 180 Function Name: NtGdiGetGlyphIndicesWInternal
Status: Not hooked

#: 181 Function Name: NtGdiGetGlyphOutline
Status: Not hooked

#: 182 Function Name: NtGdiGetKerningPairs
Status: Not hooked

#: 183 Function Name: NtGdiGetLinkedUFIs
Status: Not hooked

#: 184 Function Name: NtGdiGetMiterLimit
Status: Not hooked

#: 185 Function Name: NtGdiGetMonitorID
Status: Not hooked

#: 186 Function Name: NtGdiGetNearestColor
Status: Not hooked

#: 187 Function Name: NtGdiGetNearestPaletteIndex
Status: Not hooked

#: 188 Function Name: NtGdiGetObjectBitmapHandle
Status: Not hooked

#: 189 Function Name: NtGdiGetOutlineTextMetricsInternalW
Status: Not hooked

#: 190 Function Name: NtGdiGetPath
Status: Not hooked

#: 191 Function Name: NtGdiGetPixel
Status: Not hooked

#: 192 Function Name: NtGdiGetRandomRgn
Status: Not hooked

#: 193 Function Name: NtGdiGetRasterizerCaps
Status: Not hooked

#: 194 Function Name: NtGdiGetRealizationInfo
Status: Not hooked

#: 195 Function Name: NtGdiGetRegionData
Status: Not hooked

#: 196 Function Name: NtGdiGetRgnBox
Status: Not hooked

#: 197 Function Name: NtGdiGetServerMetaFileBits
Status: Not hooked

#: 198 Function Name: NtGdiGetSpoolMessage
Status: Not hooked

#: 199 Function Name: NtGdiGetStats
Status: Not hooked

#: 200 Function Name: NtGdiGetStockObject
Status: Not hooked

#: 201 Function Name: NtGdiGetStringBitmapW
Status: Not hooked

#: 202 Function Name: NtGdiGetSystemPaletteUse
Status: Not hooked

#: 203 Function Name: NtGdiGetTextCharsetInfo
Status: Not hooked

#: 204 Function Name: NtGdiGetTextExtent
Status: Not hooked

#: 205 Function Name: NtGdiGetTextExtentExW
Status: Not hooked

#: 206 Function Name: NtGdiGetTextFaceW
Status: Not hooked

#: 207 Function Name: NtGdiGetTextMetricsW
Status: Not hooked

#: 208 Function Name: NtGdiGetTransform
Status: Not hooked

#: 209 Function Name: NtGdiGetUFI
Status: Not hooked

#: 210 Function Name: NtGdiGetEmbUFI
Status: Not hooked

#: 211 Function Name: NtGdiGetUFIPathname
Status: Not hooked

#: 212 Function Name: NtGdiGetEmbedFonts
Status: Not hooked

#: 213 Function Name: NtGdiChangeGhostFont
Status: Not hooked

#: 214 Function Name: NtGdiAddEmbFontToDC
Status: Not hooked

#: 215 Function Name: NtGdiGetFontUnicodeRanges
Status: Not hooked

#: 216 Function Name: NtGdiGetWidthTable
Status: Not hooked

#: 217 Function Name: NtGdiGradientFill
Status: Not hooked

#: 218 Function Name: NtGdiHfontCreate
Status: Not hooked

#: 219 Function Name: NtGdiIcmBrushInfo
Status: Not hooked

#: 220 Function Name: NtGdiInit
Status: Not hooked

#: 221 Function Name: NtGdiInitSpool
Status: Not hooked

#: 222 Function Name: NtGdiIntersectClipRect
Status: Not hooked

#: 223 Function Name: NtGdiInvertRgn
Status: Not hooked

#: 224 Function Name: NtGdiLineTo
Status: Not hooked

#: 225 Function Name: NtGdiMakeFontDir
Status: Not hooked

#: 226 Function Name: NtGdiMakeInfoDC
Status: Not hooked

#: 227 Function Name: NtGdiMaskBlt
Status: Not hooked

#: 228 Function Name: NtGdiModifyWorldTransform
Status: Not hooked

#: 229 Function Name: NtGdiMonoBitmap
Status: Not hooked

#: 230 Function Name: NtGdiMoveTo
Status: Not hooked

#: 231 Function Name: NtGdiOffsetClipRgn
Status: Not hooked

#: 232 Function Name: NtGdiOffsetRgn
Status: Not hooked

#: 233 Function Name: NtGdiOpenDCW
Status: Not hooked

#: 234 Function Name: NtGdiPatBlt
Status: Not hooked

#: 235 Function Name: NtGdiPolyPatBlt
Status: Not hooked

#: 236 Function Name: NtGdiPathToRegion
Status: Not hooked

#: 237 Function Name: NtGdiPlgBlt
Status: Not hooked

#: 238 Function Name: NtGdiPolyDraw
Status: Not hooked

#: 239 Function Name: NtGdiPolyPolyDraw
Status: Not hooked

#: 240 Function Name: NtGdiPolyTextOutW
Status: Not hooked

#: 241 Function Name: NtGdiPtInRegion
Status: Not hooked

#: 242 Function Name: NtGdiPtVisible
Status: Not hooked

#: 243 Function Name: NtGdiQueryFonts
Status: Not hooked

#: 244 Function Name: NtGdiQueryFontAssocInfo
Status: Not hooked

#: 245 Function Name: NtGdiRectangle
Status: Not hooked

#: 246 Function Name: NtGdiRectInRegion
Status: Not hooked

#: 247 Function Name: NtGdiRectVisible
Status: Not hooked

#: 248 Function Name: NtGdiRemoveFontResourceW
Status: Not hooked

#: 249 Function Name: NtGdiRemoveFontMemResourceEx
Status: Not hooked

#: 250 Function Name: NtGdiResetDC
Status: Not hooked

#: 251 Function Name: NtGdiResizePalette
Status: Not hooked

#: 252 Function Name: NtGdiRestoreDC
Status: Not hooked

#: 253 Function Name: NtGdiRoundRect
Status: Not hooked

#: 254 Function Name: NtGdiSaveDC
Status: Not==EOF==

Win32kDiag Ran in Safe Mode

Running from: C:\Documents and Settings\ADMIN\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\ADMIN\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!

And this Log ram in Standard Mode

Volume in drive C is HP_PAVILION
Volume Serial Number is 68D1-D0A5

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 07:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 12:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 12:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/14/2008 12:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/14/2008 12:12 AM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/14/2008 12:12 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/14/2008 12:11 AM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 38,597,734,400 bytes free


OK, That's it. Thanks for your help and insight here.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#4 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:59 PM

Posted 25 November 2009 - 07:34 PM

I'm getting mixed signals here, not sure what's going on just yet

Humor me and run these 3 scans

:trumpet:

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.


alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

=======================

:flowers:
SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

==========================

:thumbsup:

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 26 November 2009 - 05:10 AM

Hi garmanma, Thanks for the reply.

I'm getting mixed signals here, not sure what's going on just yet


You and me both Boo. Several months ago I had had to uninstall SpyBot S&D because TeaTimer was hogging up all of my resources, and SpyBot would never fully load for me to disable it.

Then three, maybe four weeks ago I got an error message saying: System settings protector has encountered a problem and needs to close. I didn't know what that was at the time and I forgot about it before I got around to Googling it.

Well, today I decided to give SpyBot another shot on the off chance that I could get it to run right. It took me several hours to get it downloaded, installed and updated.

Then, just like before, it hung and just sat there for over an hour before I decided to look at Task Manager. Sure enough TeaTimer was gobbling up something like 82303kb of memory..., so I terminated the process and SpyBot finally finished loading after about another thirty minutes.

But when I tried to Immunize that sucker hung again. So I rebooted into Safe Mode and tried running it there. Again I had to terminate TeaTimer through Task Manager for SpyBot to finish loading. Once SpyBot finished I got the Congratulations, nothing was found message.

Something is definitely amiss here.

OK, I already have MalwareBytes on my desktop and recently I have been able to get it to update and run like its supposed to. But just to make sure it hasn't been compromised in some way I'm gonna uninstall it and go with a fresh copy for this session.

I'm downloading SAS as I type this and will update and run it shortly. I will attempt to download Dr. Web CureIt, however, I have been unable to get it to download in the past due to it's FTP thingy. So far all I'm getting is a 425 error message saying Failed to establish a connection but I'll give it several more shots before I scream.

I'm going to copy these instructions and get busy trying to get everything I need together for my next post.

HAPPY THANKSGIVING Boo.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:59 PM

Posted 26 November 2009 - 05:14 PM

TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

Edited by garmanma, 26 November 2009 - 05:14 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 29 November 2009 - 03:17 AM

Hi garmanma, Thanks for the reply.

OK, but in my case I have got to completely uninstall SpyBot because every time it tries to load TeaTimer seems to hang or "Encounter a problem" that requires it to close and SpyBot never finishes loading.

I could have sworn that I had set TeaTimer not to run and SpyBot NOT to load when Windows started up. But SpyBot decided that it needed to load every time that Windows started up and TeaTimer did too.

I have just finished uninstalling SpyBot, so it shouldn't be a problem for the rest of this fix.

OK, now for that RootRepeal thingy..., I got it downloaded, but the only way that I could get it to run was by downloading a fresh copy, then booting into Safe Mode and changing its name before I hit scan. And then it would only work once under the new name.

I did manage to get two scans done but I think they are only partial scans because I didn't really understand what I was doing and I gave up trying because that sucker kept crashing my system.

Question: Is all of that system crashing that goes on when I try to run that program rootkit related, or is it the result of some kind of bug that hasn't been worked out of the Beta version?

Anyway, I'm posting the logs that I was able to get below.

MalwareBytes seems to have fallen in love with me, at least for the moment, and has been *knocking on wood* working like it was designed to..., and without changing its name too. I have been able to update it, several times now, with no problem and I have ran a couple of complete system scans with it too.

RootRepeal was giving me such a hard time that I had checked out a couple of other rootkit detection and removal tools online just to see what they were all about.

The only one that I could get to download was GMER. I was also able to do a scan with it and its log is at the bottom of this post.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/24 10:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xFC537000 Size: 187776 File Visible: - Signed: Yes
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xFC626000 Size: 35840 File Visible: - Signed: Yes
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xFC5E6000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xFC4EF000 Size: 96512 File Visible: - Signed: Yes
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xFCAA6000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xFC996000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xFC6E6000 Size: 63744 File Visible: - Signed: Yes
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xFC636000 Size: 62976 File Visible: - Signed: Yes
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xFC5C6000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xFC5B6000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xFC4AA000 Size: 75968 File Visible: - Signed: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xFC177000 Size: 98304 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFCAB8000 Size: 8192 File Visible: No Signed: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xFCA7A000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C4000 Size: 73728 File Visible: - Signed: Yes
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xFCC8E000 Size: 4096 File Visible: - Signed: Yes
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xFC22F000 Size: 143744 File Visible: - Signed: Yes
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xFC916000 Size: 27392 File Visible: - Signed: Yes
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xFC8E6000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xFC4CF000 Size: 129792 File Visible: - Signed: Yes
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xFCAA2000 Size: 7936 File Visible: - Signed: Yes
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xFC507000 Size: 125056 File Visible: - Signed: Yes
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: Yes
Status: -

Name: handydandy.scr.sys
Image Path: C:\WINDOWS\system32\drivers\handydandy.scr.sys
Address: 0xFBE2F000 Size: 49152 File Visible: No Signed: No
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xFC6D6000 Size: 36864 File Visible: - Signed: Yes
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xFC8FE000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xFC374000 Size: 10368 File Visible: - Signed: Yes
Status: -

Name: HPZius12.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HPZius12.sys
Address: 0xFC97E000 Size: 21568 File Visible: - Signed: Yes
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xFC606000 Size: 52480 File Visible: - Signed: Yes
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xFC616000 Size: 42112 File Visible: - Signed: Yes
Status: -

Name: inspect.sys
Image Path: inspect.sys
Address: 0xFC3F4000 Size: 72832 File Visible: - Signed: Yes
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xFCA8C000 Size: 5504 File Visible: - Signed: Yes
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xFC586000 Size: 37248 File Visible: - Signed: Yes
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xFC866000 Size: 24576 File Visible: - Signed: Yes
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xFC368000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xFCA86000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xFC331000 Size: 143360 File Visible: - Signed: Yes
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xFC493000 Size: 92928 File Visible: - Signed: Yes
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xFC906000 Size: 23040 File Visible: - Signed: Yes
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xFCA1A000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xFC596000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xFC94E000 Size: 19072 File Visible: - Signed: Yes
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xFCA36000 Size: 15488 File Visible: - Signed: Yes
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xFC3AD000 Size: 105344 File Visible: - Signed: Yes
Status: -

Name: MxlW2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\MxlW2k.SYS
Address: 0xFC936000 Size: 25344 File Visible: - Signed: No
Status: -

Name: NDIS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NDIS.SYS
Address: 0xFC3C7000 Size: 182656 File Visible: - Signed: Yes
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xFC95E000 Size: 30848 File Visible: - Signed: Yes
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xFC406000 Size: 574976 File Visible: - Signed: Yes
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xFCC76000 Size: 2944 File Visible: - Signed: Yes
Status: -

Name: nv_agp.sys
Image Path: nv_agp.sys
Address: 0xFC99E000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xFC80E000 Size: 19712 File Visible: - Signed: Yes
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xFC526000 Size: 68224 File Visible: - Signed: Yes
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xFCB4E000 Size: 3328 File Visible: - Signed: Yes
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xFC806000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xFCA22000 Size: 8768 File Visible: - Signed: No
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xFC99A000 Size: 15712 File Visible: - Signed: No
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xFC646000 Size: 57600 File Visible: - Signed: Yes
Status: -

Name: SISAGP.sys
Image Path: SISAGP.sys
Address: 0xFC81E000 Size: 27136 File Visible: - Signed: Yes
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xFC4BD000 Size: 73472 File Visible: - Signed: Yes
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xFCA92000 Size: 5536 File Visible: - Signed: No
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xFC90E000 Size: 22912 File Visible: - Signed: No
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xFCA9A000 Size: 4352 File Visible: - Signed: Yes
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xFC816000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xFC656000 Size: 40704 File Visible: - Signed: Yes
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xFC2AF000 Size: 384768 File Visible: - Signed: Yes
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbccgp.sys
Address: 0xFC8DE000 Size: 32128 File Visible: - Signed: Yes
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xFCA9E000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xFC666000 Size: 59520 File Visible: - Signed: Yes
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xFC30D000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys
Address: 0xFC96E000 Size: 25856 File Visible: - Signed: Yes
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys
Address: 0xFC986000 Size: 20608 File Visible: - Signed: Yes
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xFC926000 Size: 20992 File Visible: - Signed: Yes
Status: -

Name: vga256.dll
Image Path: C:\WINDOWS\System32\vga256.dll
Address: 0xBFF50000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xFC5D6000 Size: 42240 File Visible: - Signed: Yes
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xFCA8A000 Size: 5376 File Visible: - Signed: Yes
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xFC29B000 Size: 81920 File Visible: - Signed: Yes
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xFC5A6000 Size: 52352 File Visible: - Signed: Yes
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xFC8A6000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: Yes
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1851392 File Visible: - Signed: Yes
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xFCA88000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189184 File Visible: - Signed: Yes
Status: -

================================================

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/24 10:56
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\pagefile.sys
Status: Locked to the Windows API!

Path: D:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP155\CHANGE.LOG
Status: Allocation size mismatch (API: 16384, Raw: 4096)

==============================================

Malwarebytes' Anti-Malware 1.41
Database version: 3240
Windows 5.1.2600 Service Pack 3

11/27/2009 9:17:39 AM
mbam-log-2009-11-27 (09-17-39).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 192315
Time elapsed: 2 hour(s), 30 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

===============================================

Malwarebytes' Anti-Malware 1.41
Database version: 3251
Windows 5.1.2600 Service Pack 3

11/29/2009 12:18:27 AM
mbam-log-2009-11-29 (00-18-27).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 193082
Time elapsed: 2 hour(s), 33 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

================================================

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit quick scan 2009-11-28 07:47:15
Windows 5.1.2600 Service Pack 3
Running: wkrmw4f3.exe; Driver: C:\DOCUME~1\ADMIN\LOCALS~1\Temp\fxldqpog.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

===================================================

OK, that is what I was able to get. Malwarebytes' did find a Trojan. I killed it and corked it up in Quarantine. It listed it as:

Date 11/5/2009 Vendor Malware.Trace Category File Items C:\WINDOWS\_deleteme.bat Reference # 14403

And that's it. So what do I do next?


Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#8 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:59 PM

Posted 29 November 2009 - 06:20 PM

GMER and Root Repeal look good

The only questionable thing I see is:
Path: C:\pagefile.sys
Status: Locked to the Windows API!
Path: D:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP155\CHANGE.LOG
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Which is in System Restore

I would delete the restore points and if you still have issues I would then post a DDS / HJT log
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Edited by garmanma, 29 November 2009 - 06:23 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#9 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 29 November 2009 - 11:02 PM

Hi garmanma, Thanks for the reply.

The only questionable thing I see is:
Path: C:\pagefile.sys
Status: Locked to the Windows API!


OK, so that's not supposed to be locked like that?

Path: D:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP155\CHANGE.LOG
Status: Allocation size mismatch (API: 16384, Raw: 4096)
Which is in System Restore


That Path: D:\ thingy is like the recovery part of my Hard Drive..., right?

I didn't know that stuff in there changed. OK, so do I need to create a new restore point before tossing out all of the old ones? Or should I toss em all out and make a new one after?

Oh and I was finally able to download, install, and run another Rootkit Detector. But I had to do it through IE as FF would never finish opening the download page after I hit Download.

I ran it and here's the log file that it generated. Let me know if there is anything evil looking on it.


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 11/29/2009 at 9:24:39 AM
User "ADMIN" on computer "WENDY"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x300 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe4
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe5
Hidden: file C:\RECYCLER\S-1-5-21-2647865256-2038945071-357464061-1003\Dc3\Desktop\CleanUp452.exe
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_TOOLBAR\spcping.dll
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_TOOLBAR\barcontrol.dll
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_TOOLBAR\googletoolbarinstaller.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AutoPlay.exe
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_DESKTOP\gdsapi.dll
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_DESKTOP\spcping.dll
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_DESKTOP\barcontrol.dll
Hidden: file C:\Documents and Settings\Owner\Application Data\Real\Update\GOOGLE_DESKTOP\gdssetup.exe
Hidden: file C:\Documents and Settings\Owner\Desktop\PokerStarsInstallPM.exe
Hidden: file C:\Documents and Settings\Owner\Desktop\screensaverfunpack.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000530.exe.info
Hidden: file C:\Documents and Settings\Owner\Desktop\BGH 2005 SS 1.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000530.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe4.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000537.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe5.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\avz_3696_1.tmp
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\avz_3696_1.tmp.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\avz_3696_1.tmp1
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\avz_3696_1.tmp1.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0000537.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069680.exe.info
Hidden: file C:\WINDOWS\system32\dllcache\olecli.dll
Hidden: file C:\hp\vinetlink\InetCtrl.dll
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AUTOPLAY.EXE1
Hidden: file C:\hp\bin\AUTOTBAR.EXE
Hidden: file C:\hp\bin\FullScreen.exe
Hidden: file C:\hp\bin\HPBI.exe
Hidden: file C:\hp\bin\WIN32ALL-125.EXE
Hidden: file C:\WINDOWS\system32\dllcache\parvdm.sys
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069683.EXE.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069682.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069681.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe1
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069673.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068058.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068250.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068355.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068573.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069680.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe1.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe2
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069681.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe2.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069682.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe3.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AutoPlay.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069683.EXE
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\AUTOPLAY.EXE1.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068058.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068250.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\hidec.exe3
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068355.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068573.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068574.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0069673.exe.info
Hidden: file C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0068574.exe
Info: Starting disk scan of D: (FAT).
Stopped logging on 11/29/2009 at 10:58:03 AM



Thanks for your help.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#10 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:59 PM

Posted 30 November 2009 - 07:01 PM

That Path: D:\ thingy is like the recovery part of my Hard Drive..., right?

System Volume Information is you System Restore Points

should I toss em all out and make a new one after?

Yes

The only thing that Sophos Anti-Rootkit shows is a bunch of quarantined items in COMODO Internet Security's quarantine folder
I would delete the folder's contents
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 02 December 2009 - 03:00 AM

Hi garmanma, Thanks for the reply.

OK, I'll delete all the old restore points restart my PC and make a new restore point. I think I'll run ERUNT and NTREGOPT before I reboot though.

You have any idea why that RootRepeal utility keeps causing my system to crash every time I try to use it?

[EDIT:] Up above you mentioned running a DDS, I have no Idea what that is..., BUT I discovered something in my downloads folder that I don't remember downloading. Its a dds.scr thingy. I don't download anything with an .scr extension and I have no clue as to where it came from. I'll Google it as soon as I log off, just wondered if you've ever come across it before.

Thanks again for your help Mark.

Wendy

Edited by Wendy K. Walker, 02 December 2009 - 03:11 AM.

TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.

#12 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:06:59 PM

Posted 02 December 2009 - 07:04 PM

dds.scr

Is the application the malware team uses
DDS / HJT
.scr is an obscure text format
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#13 Wendy K. Walker

Wendy K. Walker
  • Topic Starter

  • Members
  • 633 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:In The Treeline 300 Yards Behind You, Tracking Your Every Move Through A Sniper Scope
  • Local time:10:59 PM

Posted 02 December 2009 - 08:06 PM

Hi garmanma, Thanks for the reply.

OK, I still don't know how that sucker got in my Download folder though. I learned way back that .scr things were known to carry viruses and such and don't download them.

I'm gonna delete that file and then check out what HJT has on their board. I still have something killing my .wps documents and need to fine out how to fix it so I can start opening those suckers without worrying about them getting corrupted.

Merry Christmas to you and yours Boo.

Wendy
TRUST NO ONE...! EXCEPT For The Beloved Computer Geek Helping You In The MALWARE FORUMS.

Do Unto Others Before They Have A Chance To Do Unto You.

HP Pavilion 512n [Rescued from a pile of trash on the side of the road] 128 MB SDRAM, 60 GB Hard Drive, Windows XP, Home Edition, SP3, COMODO Anti Vitus and Firewall.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users