Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hijack Log - Google Redirect/Antivirus system pro

  • This topic is locked This topic is locked
2 replies to this topic

#1 faye32


  • Members
  • 8 posts
  • Local time:07:15 AM

Posted 03 December 2009 - 08:04 PM

Hi I was referred here from this thread: http://www.bleepingcomputer.com/forums/t/274669/infected-w-antivirus-system-pro-a-new-version-only-have-an-hour-or-two/

I posted some logs over in that thread, posting the HJTlog here now in an attachment.Update: This is bizarre, my attachment disappeared. I'm having trouble keeping the computer in question online (accessing the site from another computer atm) I will try to get the log back ASAP please don't close the thread.

Pasting in aforementioned logs from that topic. ~ OB

Running from: C:\Documents and Settings\censored (user folder)\My Documents\Downloads\Win32kDiag.exeLog file at : C:\Documents and Settings\censored (user folder)\Desktop\Win32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Finished!ROOTREPEAL  AD, 2007-2009==================================================Scan Start Time: 2009/12/03 10:56Program Version: Version Version: Windows XP SP3==================================================Drivers-------------------Name: rootrepeal.sysImage Path: C:\WINDOWS\system32\drivers\rootrepeal.sysAddress: 0xBA178000 Size: 49152 File Visible: No Signed: -Status: -Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!Path: c:\documents and settings\censored (user folder)\application data\mozilla\firefox\profiles\uc7uvl0g.default\sessionstore.jsStatus: Size mismatch (API: 12736, Raw: 12737)SSDT-------------------#: 041 Function Name: NtCreateKeyStatus: Hooked by "<unknown>" at address 0xa60b2056#: 053 Function Name: NtCreateThreadStatus: Hooked by "<unknown>" at address 0xa60b204c#: 063 Function Name: NtDeleteKeyStatus: Hooked by "<unknown>" at address 0xa60b205b#: 065 Function Name: NtDeleteValueKeyStatus: Hooked by "<unknown>" at address 0xa60b2065#: 098 Function Name: NtLoadKeyStatus: Hooked by "<unknown>" at address 0xa60b206a#: 122 Function Name: NtOpenProcessStatus: Hooked by "<unknown>" at address 0xa60b2038#: 128 Function Name: NtOpenThreadStatus: Hooked by "<unknown>" at address 0xa60b203d#: 193 Function Name: NtReplaceKeyStatus: Hooked by "<unknown>" at address 0xa60b2074#: 204 Function Name: NtRestoreKeyStatus: Hooked by "<unknown>" at address 0xa60b206f#: 247 Function Name: NtSetValueKeyStatus: Hooked by "<unknown>" at address 0xa60b2060#: 257 Function Name: NtTerminateProcessStatus: Hooked by "<unknown>" at address 0xa60b2047==EOF==Volume in drive C has no label.Volume Serial Number is 8CA5-5ABADirectory of C:\WINDOWS\$NtServicePackUninstall$08/04/2004 05:00 AM 180,224 scecli.dllDirectory of C:\WINDOWS\$NtServicePackUninstall$08/04/2004 05:00 AM 407,040 netlogon.dllDirectory of C:\WINDOWS\$NtServicePackUninstall$08/04/2004 05:00 AM 55,808 eventlog.dll3 File(s) 643,072 bytesDirectory of C:\WINDOWS\ERDNT\cache04/13/2008 07:12 PM 181,248 scecli.dllDirectory of C:\WINDOWS\ERDNT\cache04/13/2008 07:12 PM 407,040 netlogon.dllDirectory of C:\WINDOWS\ERDNT\cache04/13/2008 07:11 PM 56,320 eventlog.dll3 File(s) 644,608 bytesDirectory of C:\WINDOWS\ServicePackFiles\i38604/13/2008 07:12 PM 181,248 scecli.dllDirectory of C:\WINDOWS\ServicePackFiles\i38604/13/2008 07:12 PM 407,040 netlogon.dllDirectory of C:\WINDOWS\ServicePackFiles\i38604/13/2008 07:11 PM 56,320 eventlog.dll3 File(s) 644,608 bytesDirectory of C:\WINDOWS\system3204/13/2008 07:12 PM 181,248 scecli.dllDirectory of C:\WINDOWS\system3204/13/2008 07:12 PM 407,040 netlogon.dllDirectory of C:\WINDOWS\system3204/13/2008 07:11 PM 56,320 eventlog.dll3 File(s) 644,608 bytesTotal Files Listed:12 File(s) 2,576,896 bytes0 Dir(s) 50,142,834,688 bytes free

Edited by faye32, 04 December 2009 - 05:36 AM.

BC AdBot (Login to Remove)


#2 faye32

  • Topic Starter

  • Members
  • 8 posts
  • Local time:07:15 AM

Posted 07 December 2009 - 08:47 AM

I found more evidence that there was a severe infection. I ended up reinstalling windows because the system was too compromised for me to trust anymore. Could I request that someone please delete all my posts and account now? I am finished here.

#3 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,602 posts
  • Gender:Female
  • Location:Romania
  • Local time:02:15 PM

Posted 16 December 2009 - 10:15 AM

This topic will now be closed. If you want your account to be deleted, you need to contact an admin.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users