Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer re-directs running wild


  • This topic is locked This topic is locked
15 replies to this topic

#1 toe

toe

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 08 December 2009 - 12:44 PM

Hello and thanks in advance for any assistance. Took my laptop to a shop a couple of weeks ago and they didn't remove whatever is causing my problem. Said I'd just have to live with it, couldn't be removed. Have ran multiple spyware, virus programs and all find many items but the problem just keeps coming back even worse than before.

I'm running VISTA and this is my work computer. Someone please help before I loose my cool and break something permanently.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 AM

Posted 08 December 2009 - 04:56 PM

Hello can we get a quick log to start.

Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 08 December 2009 - 05:43 PM

MBAM didn't find anything. What's next?

#4 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 08 December 2009 - 05:45 PM

Malwarebytes' Anti-Malware 1.42
Database version: 3325
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12/8/2009 4:40:22 PM
mbam-log-2009-12-08 (16-40-22).txt

Scan type: Quick Scan
Objects scanned: 96695
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 AM

Posted 08 December 2009 - 09:38 PM

Hello ,let's look at 2 more items then,
Run SAS next.
Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Now part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 09 December 2009 - 05:09 PM

Is it normal to take 10 hours plus to do a scan with SUPERAntiSpyware?

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 AM

Posted 09 December 2009 - 05:16 PM

Not Normal but not unheard of.. Depends on the size of the drive,number of files and amount of malware it has to dig thru. Give it a few more.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 09 December 2009 - 07:24 PM

Heres the results:

SmitFraudFix v2.424

Scan done at 18:13:35.24, Wed 12/09/2009
Run from C:\Users\TO\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6002] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\EPSON Projector\EMP NS Connection V2\EMP_NSWLSV.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\SYSTEM32\Rpcnet.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\AVG\AVG9\avgupd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\wbem\wmiprvse.exe

hosts


C:\


C:\Windows


C:\Windows\system


C:\Windows\Web


C:\Windows\system32


C:\Windows\system32\LogFiles


C:\Users\TO


C:\Users\TO\AppData\Local\Temp


C:\Users\TO\Application Data


Start Menu


C:\Users\TO\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=dword:00000001
"AppInit_DLLs"="avgrsstx.dll"


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




DNS

Description: Dell Wireless 1390 WLAN Mini-Card
DNS Server Search Order: 192.168.1.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5DDF8766-C877-429E-8B23-DAB2386E29B9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C2EEA7E-74B5-4D61-AA67-FA22E96D6A68}: DhcpNameServer=169.254.2.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{80A492F2-B272-4225-9A5C-691EA100FF8F}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5DDF8766-C877-429E-8B23-DAB2386E29B9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7C2EEA7E-74B5-4D61-AA67-FA22E96D6A68}: DhcpNameServer=169.254.2.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{80A492F2-B272-4225-9A5C-691EA100FF8F}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5DDF8766-C877-429E-8B23-DAB2386E29B9}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7C2EEA7E-74B5-4D61-AA67-FA22E96D6A68}: DhcpNameServer=169.254.2.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{80A492F2-B272-4225-9A5C-691EA100FF8F}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


Scanning for wininet.dll infection


End

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/09/2009 at 05:22 PM

Application Version : 4.31.1000

Core Rules Database Version : 4350
Trace Rules Database Version: 2198

Scan type : Complete Scan
Total Scan Time : 11:11:19

Memory items scanned : 678
Memory threats detected : 0
Registry items scanned : 6894
Registry threats detected : 0
File items scanned : 754523
File threats detected : 210

Adware.Tracking Cookie
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@specificclick[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@yieldmanager[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@counter.surfcounters[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@content.yieldmanager[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@classmates.112.2o7[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@questionmarket[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@eas.apm.emediate[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@collective-media[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@oasn04.247realmedia[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@tribalfusion[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@serving-sys[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@trafficmp[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@247realmedia[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@bs.serving-sys[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@eyewonder[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@adserver.adtechus[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@adserving.autotrader[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ad.wsod[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@specificmedia[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@realmedia[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@interclick[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@cdn4.specificclick[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@pointroll[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@traffic.buyservices[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ad.yieldmanager[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@nextag[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ads.pointroll[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@insightexpressai[2].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@revsci[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@buycom.122.2o7[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@a1.interclick[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@2o7[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@invitemedia[1].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@content.yieldmanager[3].txt
C:\Users\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ads.bleepingcomputer[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@247realmedia[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@2o7[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@a1.interclick[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ad.wsod[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ad.yieldmanager[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ads.bleepingcomputer[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@ads.pointroll[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@adserver.adtechus[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@adserving.autotrader[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@bs.serving-sys[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@buycom.122.2o7[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@cdn4.specificclick[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@classmates.112.2o7[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@collective-media[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@content.yieldmanager[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@content.yieldmanager[3].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@counter.surfcounters[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@eas.apm.emediate[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@eyewonder[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@insightexpressai[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@interclick[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@invitemedia[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@nextag[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@oasn04.247realmedia[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@pointroll[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@questionmarket[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@realmedia[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@revsci[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@serving-sys[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@specificclick[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@specificmedia[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@traffic.buyservices[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@trafficmp[1].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@tribalfusion[2].txt
C:\Documents and Settings\TO\AppData\Roaming\Microsoft\Windows\Cookies\to@yieldmanager[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@247realmedia[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@2o7[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@a1.interclick[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@ad.wsod[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@ad.yieldmanager[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@ads.bleepingcomputer[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@ads.pointroll[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@adserver.adtechus[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@adserving.autotrader[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@bs.serving-sys[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@buycom.122.2o7[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@cdn4.specificclick[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@classmates.112.2o7[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@collective-media[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@content.yieldmanager[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@content.yieldmanager[3].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@counter.surfcounters[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@eas.apm.emediate[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@eyewonder[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@insightexpressai[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@interclick[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@invitemedia[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@nextag[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@oasn04.247realmedia[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@pointroll[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@questionmarket[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@realmedia[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@revsci[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@serving-sys[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@specificclick[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@specificmedia[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@traffic.buyservices[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@trafficmp[1].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@tribalfusion[2].txt
C:\Documents and Settings\TO\Application Data\Microsoft\Windows\Cookies\to@yieldmanager[1].txt
C:\Documents and Settings\TO\Cookies\to@247realmedia[1].txt
C:\Documents and Settings\TO\Cookies\to@2o7[1].txt
C:\Documents and Settings\TO\Cookies\to@a1.interclick[1].txt
C:\Documents and Settings\TO\Cookies\to@ad.wsod[2].txt
C:\Documents and Settings\TO\Cookies\to@ad.yieldmanager[2].txt
C:\Documents and Settings\TO\Cookies\to@ads.bleepingcomputer[1].txt
C:\Documents and Settings\TO\Cookies\to@ads.pointroll[1].txt
C:\Documents and Settings\TO\Cookies\to@adserver.adtechus[1].txt
C:\Documents and Settings\TO\Cookies\to@adserving.autotrader[2].txt
C:\Documents and Settings\TO\Cookies\to@bs.serving-sys[2].txt
C:\Documents and Settings\TO\Cookies\to@buycom.122.2o7[1].txt
C:\Documents and Settings\TO\Cookies\to@cdn4.specificclick[2].txt
C:\Documents and Settings\TO\Cookies\to@classmates.112.2o7[2].txt
C:\Documents and Settings\TO\Cookies\to@collective-media[1].txt
C:\Documents and Settings\TO\Cookies\to@content.yieldmanager[1].txt
C:\Documents and Settings\TO\Cookies\to@content.yieldmanager[3].txt
C:\Documents and Settings\TO\Cookies\to@counter.surfcounters[1].txt
C:\Documents and Settings\TO\Cookies\to@eas.apm.emediate[2].txt
C:\Documents and Settings\TO\Cookies\to@eyewonder[2].txt
C:\Documents and Settings\TO\Cookies\to@insightexpressai[2].txt
C:\Documents and Settings\TO\Cookies\to@interclick[2].txt
C:\Documents and Settings\TO\Cookies\to@invitemedia[1].txt
C:\Documents and Settings\TO\Cookies\to@nextag[1].txt
C:\Documents and Settings\TO\Cookies\to@oasn04.247realmedia[2].txt
C:\Documents and Settings\TO\Cookies\to@pointroll[2].txt
C:\Documents and Settings\TO\Cookies\to@questionmarket[2].txt
C:\Documents and Settings\TO\Cookies\to@realmedia[1].txt
C:\Documents and Settings\TO\Cookies\to@revsci[1].txt
C:\Documents and Settings\TO\Cookies\to@serving-sys[1].txt
C:\Documents and Settings\TO\Cookies\to@specificclick[2].txt
C:\Documents and Settings\TO\Cookies\to@specificmedia[2].txt
C:\Documents and Settings\TO\Cookies\to@traffic.buyservices[1].txt
C:\Documents and Settings\TO\Cookies\to@trafficmp[1].txt
C:\Documents and Settings\TO\Cookies\to@tribalfusion[2].txt
C:\Documents and Settings\TO\Cookies\to@yieldmanager[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@247realmedia[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@2o7[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@a1.interclick[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@ad.wsod[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@ad.yieldmanager[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@ads.bleepingcomputer[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@ads.pointroll[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@adserver.adtechus[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@adserving.autotrader[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@bs.serving-sys[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@buycom.122.2o7[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@cdn4.specificclick[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@classmates.112.2o7[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@collective-media[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@content.yieldmanager[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@content.yieldmanager[3].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@counter.surfcounters[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@eas.apm.emediate[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@eyewonder[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@insightexpressai[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@interclick[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@invitemedia[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@nextag[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@oasn04.247realmedia[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@pointroll[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@questionmarket[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@realmedia[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@revsci[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@serving-sys[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@specificclick[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@specificmedia[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@traffic.buyservices[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@trafficmp[1].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@tribalfusion[2].txt
C:\Users\TO\Application Data\Microsoft\Windows\Cookies\to@yieldmanager[1].txt
C:\Users\TO\Cookies\to@247realmedia[1].txt
C:\Users\TO\Cookies\to@2o7[1].txt
C:\Users\TO\Cookies\to@a1.interclick[1].txt
C:\Users\TO\Cookies\to@ad.wsod[2].txt
C:\Users\TO\Cookies\to@ad.yieldmanager[2].txt
C:\Users\TO\Cookies\to@ads.bleepingcomputer[1].txt
C:\Users\TO\Cookies\to@ads.pointroll[1].txt
C:\Users\TO\Cookies\to@adserver.adtechus[1].txt
C:\Users\TO\Cookies\to@adserving.autotrader[2].txt
C:\Users\TO\Cookies\to@bs.serving-sys[2].txt
C:\Users\TO\Cookies\to@buycom.122.2o7[1].txt
C:\Users\TO\Cookies\to@cdn4.specificclick[2].txt
C:\Users\TO\Cookies\to@classmates.112.2o7[2].txt
C:\Users\TO\Cookies\to@collective-media[1].txt
C:\Users\TO\Cookies\to@content.yieldmanager[1].txt
C:\Users\TO\Cookies\to@content.yieldmanager[3].txt
C:\Users\TO\Cookies\to@counter.surfcounters[1].txt
C:\Users\TO\Cookies\to@eas.apm.emediate[2].txt
C:\Users\TO\Cookies\to@eyewonder[2].txt
C:\Users\TO\Cookies\to@insightexpressai[2].txt
C:\Users\TO\Cookies\to@interclick[2].txt
C:\Users\TO\Cookies\to@invitemedia[1].txt
C:\Users\TO\Cookies\to@nextag[1].txt
C:\Users\TO\Cookies\to@oasn04.247realmedia[2].txt
C:\Users\TO\Cookies\to@pointroll[2].txt
C:\Users\TO\Cookies\to@questionmarket[2].txt
C:\Users\TO\Cookies\to@realmedia[1].txt
C:\Users\TO\Cookies\to@revsci[1].txt
C:\Users\TO\Cookies\to@serving-sys[1].txt
C:\Users\TO\Cookies\to@specificclick[2].txt
C:\Users\TO\Cookies\to@specificmedia[2].txt
C:\Users\TO\Cookies\to@traffic.buyservices[1].txt
C:\Users\TO\Cookies\to@trafficmp[1].txt
C:\Users\TO\Cookies\to@tribalfusion[2].txt
C:\Users\TO\Cookies\to@yieldmanager[1].txt

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 AM

Posted 09 December 2009 - 08:16 PM

You are still having the redirects?
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 December 2009 - 07:31 AM

Not having any success with RootRepeal. Running for the 4th time. For some reason, it closes itself before I can save the report.

#11 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 December 2009 - 08:31 AM

I was able to get the following this time:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/10 07:26
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS
Address: 0x8BD04000 Size: 57344 File Visible: - Signed: -
Status: -

Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x82C97000 Size: 286720 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x82219000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8D15E000 Size: 294912 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x82DB6000 Size: 32768 File Visible: - Signed: -
Status: -

Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x82DBE000 Size: 122880 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\Windows\System32\Drivers\avgldx86.sys
Address: 0x8DA9E000 Size: 326528 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\Windows\System32\Drivers\avgmfx86.sys
Address: 0x8DA98000 Size: 21760 File Visible: - Signed: -
Status: -

Name: avgtdix.sys
Image Path: C:\Windows\System32\Drivers\avgtdix.sys
Address: 0x8D537000 Size: 353920 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\Windows\system32\DRIVERS\BATTC.SYS
Address: 0x82D27000 Size: 40960 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\Windows\system32\DRIVERS\bcm4sbxp.sys
Address: 0x8BCE3000 Size: 69632 File Visible: - Signed: -
Status: -

Name: bcmwl6.sys
Image Path: C:\Windows\system32\DRIVERS\bcmwl6.sys
Address: 0x8BC00000 Size: 548864 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8D3CE000 Size: 28672 File Visible: - Signed: -
Status: -

Name: blkgrpex.sys
Image Path: C:\Windows\system32\DRIVERS\blkgrpex.sys
Address: 0x8BD72000 Size: 254080 File Visible: - Signed: -
Status: -

Name: blkgrpmr.sys
Image Path: C:\Windows\system32\DRIVERS\blkgrpmr.sys
Address: 0x8CC08000 Size: 252800 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x8068A000 Size: 32768 File Visible: - Signed: -
Status: -

Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0xAB3A0000 Size: 102400 File Visible: - Signed: -
Status: -

Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x95910000 Size: 57344 File Visible: - Signed: -
Status: -

Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x8DBCF000 Size: 90112 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x8BD57000 Size: 98304 File Visible: - Signed: -
Status: -

Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x806D3000 Size: 917504 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x881A1000 Size: 135168 File Visible: - Signed: -
Status: -

Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80692000 Size: 266240 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\Windows\system32\DRIVERS\CmBatt.sys
Address: 0x82FF9000 Size: 14208 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: C:\Windows\system32\DRIVERS\compbatt.sys
Address: 0x82D24000 Size: 10496 File Visible: - Signed: -
Status: -

Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8DAEE000 Size: 53248 File Visible: - Signed: -
Status: -

Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x881C2000 Size: 36864 File Visible: - Signed: -
Status: -

Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8DA81000 Size: 94208 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x88190000 Size: 69632 File Visible: - Signed: -
Status: -

Name: DLABMFSM.SYS
Image Path: C:\Windows\System32\DLA\DLABMFSM.SYS
Address: 0x8DB6D000 Size: 28192 File Visible: - Signed: -
Status: -

Name: DLABOIOM.SYS
Image Path: C:\Windows\System32\DLA\DLABOIOM.SYS
Address: 0x8DB74000 Size: 25568 File Visible: - Signed: -
Status: -

Name: DLACDBHM.SYS
Image Path: C:\Windows\System32\Drivers\DLACDBHM.SYS
Address: 0x8BD55000 Size: 5952 File Visible: - Signed: -
Status: -

Name: DLADResM.SYS
Image Path: C:\Windows\System32\DLA\DLADResM.SYS
Address: 0x8DB4D000 Size: 2496 File Visible: - Signed: -
Status: -

Name: DLAIFS_M.SYS
Image Path: C:\Windows\System32\DLA\DLAIFS_M.SYS
Address: 0x8DB4E000 Size: 97632 File Visible: - Signed: -
Status: -

Name: DLAOPIOM.SYS
Image Path: C:\Windows\System32\DLA\DLAOPIOM.SYS
Address: 0x8DB66000 Size: 19392 File Visible: - Signed: -
Status: -

Name: DLAPoolM.SYS
Image Path: C:\Windows\System32\DLA\DLAPoolM.SYS
Address: 0x8DB6B000 Size: 7616 File Visible: - Signed: -
Status: -

Name: DLARTL_M.SYS
Image Path: C:\Windows\System32\Drivers\DLARTL_M.SYS
Address: 0x8D3D5000 Size: 21216 File Visible: - Signed: -
Status: -

Name: DLAUDF_M.SYS
Image Path: C:\Windows\System32\DLA\DLAUDF_M.SYS
Address: 0x8DB91000 Size: 90944 File Visible: - Signed: -
Status: -

Name: DLAUDFAM.SYS
Image Path: C:\Windows\System32\DLA\DLAUDFAM.SYS
Address: 0x8DB7B000 Size: 87744 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x8D0DA000 Size: 151552 File Visible: - Signed: -
Status: -

Name: DRVMCDB.SYS
Image Path: C:\Windows\System32\Drivers\DRVMCDB.SYS
Address: 0x807E5000 Size: 90080 File Visible: - Signed: -
Status: -

Name: DRVNDDM.SYS
Image Path: C:\Windows\System32\Drivers\DRVNDDM.SYS
Address: 0x8DB42000 Size: 42496 File Visible: - Signed: -
Status: -

Name: dsunidrv.sys
Image Path: C:\Program Files\DellSupport\Drivers\dsunidrv.sys
Address: 0xAC6CC000 Size: 7424 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x8DB06000 Size: 32768 File Visible: No Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8DAFB000 Size: 45056 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x8DB0E000 Size: 40960 File Visible: - Signed: -
Status: -

Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x8CAB9000 Size: 659456 File Visible: - Signed: -
Status: -

Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x88169000 Size: 159744 File Visible: - Signed: -
Status: -

Name: fastfat.SYS
Image Path: C:\Windows\System32\Drivers\fastfat.SYS
Address: 0xAC6CE000 Size: 163840 File Visible: - Signed: -
Status: -

Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x82DDC000 Size: 65536 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x807B3000 Size: 204800 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8D3BE000 Size: 36864 File Visible: - Signed: -
Status: -

Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x8D4F2000 Size: 110592 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\Windows\System32\Drivers\GEARAspiWDM.sys
Address: 0x8BD6F000 Size: 9472 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x825D2000 Size: 208896 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8CB66000 Size: 577536 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\Windows\system32\DRIVERS\HIDPARSE.SYS
Address: 0x8D3E4000 Size: 28672 File Visible: - Signed: -
Status: -

Name: HSX_CNXT.sys
Image Path: C:\Windows\system32\DRIVERS\HSX_CNXT.sys
Address: 0x8D30A000 Size: 737280 File Visible: - Signed: -
Status: -

Name: HSX_DPV.sys
Image Path: C:\Windows\system32\DRIVERS\HSX_DPV.sys
Address: 0x8D207000 Size: 1060864 File Visible: - Signed: -
Status: -

Name: HSXHWAZL.sys
Image Path: C:\Windows\system32\DRIVERS\HSXHWAZL.sys
Address: 0x8D0FF000 Size: 249856 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0xAB316000 Size: 446464 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys
Address: 0x8BD2C000 Size: 77824 File Visible: - Signed: -
Status: -

Name: igdkmd32.sys
Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys
Address: 0x8C40A000 Size: 7008256 File Visible: - Signed: -
Status: -

Name: intelide.sys
Image Path: C:\Windows\system32\drivers\intelide.sys
Address: 0x82D8A000 Size: 28672 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x82FEA000 Size: 61440 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x8BD4A000 Size: 45056 File Visible: - Signed: -
Status: -

Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x80602000 Size: 28672 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x8CD7C000 Size: 172032 File Visible: - Signed: -
Status: -

Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x82E08000 Size: 462848 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: C:\Windows\system32\DRIVERS\Lbd.sys
Address: 0x82DEC000 Size: 57600 File Visible: - Signed: -
Status: -

Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0xAB2BF000 Size: 65536 File Visible: - Signed: -
Status: -

Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0x8DB27000 Size: 110592 File Visible: - Signed: -
Status: -

Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x80609000 Size: 458752 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\Windows\system32\DRIVERS\mdmxsdk.sys
Address: 0xAC6F6000 Size: 12672 File Visible: - Signed: -
Status: -

Name: mfehidk.sys
Image Path: C:\Windows\system32\drivers\mfehidk.sys
Address: 0x8DA4E000 Size: 207936 File Visible: - Signed: -
Status: -

Name: modem.sys
Image Path: C:\Windows\system32\drivers\modem.sys
Address: 0x8CCD1000 Size: 53248 File Visible: - Signed: -
Status: -

Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x8DB18000 Size: 61440 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x8BD3F000 Size: 45056 File Visible: - Signed: -
Status: -

Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x82DA6000 Size: 65536 File Visible: - Signed: -
Status: -

Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0xAB3B9000 Size: 86016 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\Windows\system32\drivers\mrxdav.sys
Address: 0xAB3CE000 Size: 135168 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0x8DBB0000 Size: 126976 File Visible: - Signed: -
Status: -

Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0xAC608000 Size: 233472 File Visible: - Signed: -
Status: -

Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0xAC641000 Size: 98304 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8D13C000 Size: 45056 File Visible: - Signed: -
Status: -

Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x82CE6000 Size: 32768 File Visible: - Signed: -
Status: -

Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x8CC4E000 Size: 192512 File Visible: - Signed: -
Status: -

Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x82F84000 Size: 176128 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x8CDA6000 Size: 40960 File Visible: - Signed: -
Status: -

Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x8815A000 Size: 61440 File Visible: - Signed: -
Status: -

Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x82E79000 Size: 1093632 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x8CCF5000 Size: 45056 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys
Address: 0xAB2F9000 Size: 40960 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x8CD00000 Size: 143360 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8BDD2000 Size: 69632 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8D5D6000 Size: 57344 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8D58E000 Size: 204800 File Visible: - Signed: -
Status: -

Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x82FAF000 Size: 241664 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8D147000 Size: 57344 File Visible: - Signed: -
Status: -

Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8DA44000 Size: 40960 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x88009000 Size: 1114112 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x82219000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8D3C7000 Size: 28672 File Visible: - Signed: -
Status: -

Name: nwifi.sys
Image Path: C:\Windows\system32\DRIVERS\nwifi.sys
Address: 0xAB2CF000 Size: 172032 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: C:\Windows\system32\DRIVERS\ohci1394.sys
Address: 0x8BCF4000 Size: 62208 File Visible: - Signed: -
Status: -

Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8D5C0000 Size: 90112 File Visible: - Signed: -
Status: -

Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x82D15000 Size: 61440 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x82CEE000 Size: 159744 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: C:\Windows\system32\DRIVERS\pciide.sys
Address: 0x82D9F000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x82D91000 Size: 57344 File Visible: - Signed: -
Status: -

Name: pctnullport.sys
Image Path: C:\Windows\system32\DRIVERS\pctnullport.sys
Address: 0x8CD5B000 Size: 32000 File Visible: - Signed: -
Status: -

Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0xAC6FA000 Size: 909312 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x82219000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x8D0AD000 Size: 184320 File Visible: - Signed: -
Status: -

Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x80679000 Size: 69632 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: C:\Windows\System32\Drivers\PxHelp20.sys
Address: 0x82C00000 Size: 35648 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8D155000 Size: 36864 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x8CCDE000 Size: 94208 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x8CD23000 Size: 61440 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x8CD32000 Size: 81920 File Visible: - Signed: -
Status: -

Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x8CD46000 Size: 86016 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x82219000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x8DA08000 Size: 245760 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x8D3F7000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x8D3DB000 Size: 32768 File Visible: - Signed: -
Status: -

Name: RimSerial.sys
Image Path: C:\Windows\system32\DRIVERS\RimSerial.sys
Address: 0x8CD63000 Size: 26496 File Visible: - Signed: -
Status: -

Name: RootMdm.sys
Image Path: C:\Windows\System32\Drivers\RootMdm.sys
Address: 0x8CCC9000 Size: 32768 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAB200000 Size: 49152 File Visible: No Signed: -
Status: -

Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0xAB303000 Size: 77824 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0x8D5F7000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0x8D1A6000 Size: 151552 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\Windows\system32\DRIVERS\sdbus.sys
Address: 0x8BD12000 Size: 106496 File Visible: - Signed: -
Status: -

Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0xAC7D8000 Size: 40960 File Visible: - Signed: -
Status: -

Name: serscan.sys
Image Path: C:\Windows\system32\DRIVERS\serscan.sys
Address: 0x8CC46000 Size: 32768 File Visible: - Signed: -
Status: -

Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x8D523000 Size: 81920 File Visible: - Signed: -
Status: -

Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x88152000 Size: 32768 File Visible: - Signed: -
Status: -

Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0xAB20F000 Size: 720896 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0xAC680000 Size: 311296 File Visible: - Signed: -
Status: -

Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0xAC659000 Size: 159744 File Visible: - Signed: -
Status: -

Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0xAB383000 Size: 118784 File Visible: - Signed: -
Status: -

Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x8CC7D000 Size: 266240 File Visible: - Signed: -
Status: -

Name: stwrt.sys
Image Path: C:\Windows\system32\drivers\stwrt.sys
Address: 0x8D00A000 Size: 667648 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x8CD7A000 Size: 4992 File Visible: - Signed: -
Status: -

Name: swmsflt.sys
Image Path: C:\Windows\System32\drivers\swmsflt.sys
Address: 0x8BC86000 Size: 18176 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x8D408000 Size: 958464 File Visible: - Signed: -
Status: -

Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0xAC7E2000 Size: 49152 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x8CCBE000 Size: 45056 File Visible: - Signed: -
Status: -

Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x8D50D000 Size: 90112 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x8CD6A000 Size: 65536 File Visible: - Signed: -
Status: -

Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x958F0000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x881F6000 Size: 36864 File Visible: - Signed: -
Status: -

Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x881EB000 Size: 45056 File Visible: - Signed: -
Status: -

Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x8CDB0000 Size: 53248 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8BCD4000 Size: 61440 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x8CDBD000 Size: 217088 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x8BC96000 Size: 253952 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x8BC8B000 Size: 45056 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x8D3EB000 Size: 49152 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\Windows\system32\DRIVERS\VIDEOPRT.SYS
Address: 0x8BDB1000 Size: 135168 File Visible: - Signed: -
Status: -

Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x82D31000 Size: 61440 File Visible: - Signed: -
Status: -

Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x82D40000 Size: 303104 File Visible: - Signed: -
Status: -

Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x88119000 Size: 233472 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x8D5E4000 Size: 77824 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x8CB5A000 Size: 49152 File Visible: - Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x82C0E000 Size: 507904 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x82C8A000 Size: 53248 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0x956D0000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x956D0000 Size: 2105344 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\Windows\system32\DRIVERS\wmiacpi.sys
Address: 0x88000000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\Windows\system32\drivers\WMILIB.SYS
Address: 0x82CDD000 Size: 36864 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x82219000 Size: 3903488 File Visible: - Signed: -
Status: -

Name: xaudio.sys
Image Path: C:\Windows\system32\DRIVERS\xaudio.sys
Address: 0xAC7EE000 Size: 32768 File Visible: - Signed: -
Status: -

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 AM

Posted 10 December 2009 - 11:59 AM

Some rootkits can terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further investigation is required to determine if this is the case with the issues you have described.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

-- Vista users can refer to these instructions to open a command prompt.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 December 2009 - 02:11 PM

Running from: C:\Users\TO\Desktop\Win32kDiag.exe

Log file at : C:\Users\TO\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspF687.tmp

[1] 2009-11-20 17:08:02 81 C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cspF687.tmp ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-12-10 12:24:15 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-12-10 12:23:58 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-12-10 12:23:58 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-12-10 12:23:58 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl

[1] 2009-12-10 12:29:50 3544 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTkerberos.etl ()




Finished!

Volume in drive C is OS
Volume Serial Number is 3EC4-B1BC

Directory of C:\Windows\System32

04/11/2009 00:28 177,152 scecli.dll

Directory of C:\Windows\System32

04/11/2009 00:28 592,896 netlogon.dll
2 File(s) 770,048 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e

11/02/2006 03:46 176,640 scecli.dll
1 File(s) 176,640 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/19/2008 01:36 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 00:28 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783

11/02/2006 03:46 559,616 netlogon.dll
1 File(s) 559,616 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/19/2008 01:35 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 00:28 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
8 File(s) 3,045,888 bytes
0 Dir(s) 55,884,914,688 bytes free

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:57 AM

Posted 10 December 2009 - 08:12 PM

It looks like there is a rootkit variant in this log. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 toe

toe
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 10 December 2009 - 09:12 PM

Will do and thanks so much for all you do. What is HJT team members? Seasons Greetings!.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users