Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ANTIVIR


  • Please log in to reply
13 replies to this topic

#1 Blondy

Blondy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 10 December 2009 - 07:05 AM

When I got your information from a friend, the whole incident flashed in front of me, all over again because this is exactly what happened to me yesterday! Luckily I do have the recommended Anti-Malware program, and it even gave me the same report as shown in your screen shot. Only, this happened to me while I was on Face Book, playing FARMVILLE. After running the Anti-Malware scans and did the necessary, I returned to FARMVILLE and the pop-up message appeared again, doing it all over. My question is 1.what I should do to prevent this of happening again as it seems to filter through? 2. Why is it happening in Farmville? 3. Should I change my Face Book pass word? 4. Now and again I get a message from Windows Security Centre that I need to “turn on” my Firewall, while it is on. I have Windows XP. (sooo many questions, I know…lol)

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:22 AM

Posted 10 December 2009 - 11:43 AM

Which scan tool was it that you used?
Was it Malwarebytes?

If so, Update mbam and run a FULL scan
Please post the results

=========================

Then run SAS

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 10 December 2009 - 12:16 PM

Thank you for replying so soon as I know you are very busy.

Yes, it was Malwarebytes I used.

Ok, I will do the necessary and get back to you soonest.

Thank you for the info and your assistance so far. It is much appreciated.

#4 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 11 December 2009 - 02:03 PM

Hi Garmanma
All the scans are now done and here are the results.

MBAM
Malwarebytes' Anti-Malware 1.42
Database version: 3342
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/11/2009 8:47:48 AM
mbam-log-2009-12-11 (08-47-48).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 271998
Time elapsed: 2 hour(s), 44 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

OF THE PREVIOUS SCANS, THERE ARE 11 OBJECTS IN QUARANTINE: What I to do with them?

SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2009 at 08:16 PM

Application Version : 4.31.1000

Core Rules Database Version : 4359
Trace Rules Database Version: 2204

Scan type : Complete Scan
Total Scan Time : 10:37:55

Memory items scanned : 276
Memory threats detected : 0
Registry items scanned : 7749
Registry threats detected : 9
File items scanned : 144420
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Karin\Cookies\karin@crackle[1].txt

Adware.MyWebSearch/FunWebProducts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc

#5 azfreetech

azfreetech

  • Members
  • 182 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Mesa, AZ
  • Local time:01:22 AM

Posted 11 December 2009 - 02:10 PM

After MBAM you will want to run ATF Cleaner (for WINdows XP and 2000 only!). Check the box for select all and then click the button Empty Selected. This will help clear out temp files, cookies and other junk that clutters up Windows.

Next install, update and run SUPERAntiSpyware. Get rid of what it finds. Finally update and run your antivirus program and get rid of anything that it finds.
DJ Digital Gem

I gave up on computers and now I just DJ!

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:22 AM

Posted 11 December 2009 - 07:28 PM

OF THE PREVIOUS SCANS, THERE ARE 11 OBJECTS IN QUARANTINE: What I to do with them?

We can delete them later on
Go ahead and run SAS and post the log
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 13 December 2009 - 10:15 AM

OK..thanks...going to do it. Will be back again.

#8 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:22 AM

Posted 13 December 2009 - 10:28 AM

Blondy already posted the SAS log....

SUPERAntiSpyware
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/11/2009 at 08:16 PM

Application Version : 4.31.1000

Core Rules Database Version : 4359
Trace Rules Database Version: 2204

Scan type : Complete Scan
Total Scan Time : 10:37:55

Memory items scanned : 276
Memory threats detected : 0
Registry items scanned : 7749
Registry threats detected : 9
File items scanned : 144420
File threats detected : 1

Adware.Tracking Cookie
C:\Documents and Settings\Karin\Cookies\karin@crackle[1].txt

Adware.MyWebSearch/FunWebProducts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MYWEBSEARCHSERVICE\0000#DeviceDesc



#9 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 13 December 2009 - 03:57 PM

After MBAM you will want to run ATF Cleaner (for WINdows XP and 2000 only!). Check the box for select all and then click the button Empty Selected. This will help clear out temp files, cookies and other junk that clutters up Windows.

Next install, update and run SUPERAntiSpyware. Get rid of what it finds. Finally update and run your antivirus program and get rid of anything that it finds.



Scans updated and completed with the following results.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/13/2009 at 08:10 PM

Application Version : 4.31.1000

Core Rules Database Version : 4364
Trace Rules Database Version: 2207

Scan type : Complete Scan
Total Scan Time : 02:37:03

Memory items scanned : 532
Memory threats detected : 0
Registry items scanned : 7722
Registry threats detected : 0
File items scanned : 143861
File threats detected : 0



Anti-Virus

Avira AntiVir Personal
Report file date: Sunday, December 13, 2009 20:56

Scanning for 1433500 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : KARIN

Version information:
BUILD.DAT : 9.0.0.418 21723 Bytes 12/2/2009 16:28:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/19/2009 15:37:39
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 09:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 10:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 09:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:37:38
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 15:21:25
VBASE002.VDF : 7.10.1.1 2048 Bytes 11/19/2009 15:21:26
VBASE003.VDF : 7.10.1.2 2048 Bytes 11/19/2009 15:21:26
VBASE004.VDF : 7.10.1.3 2048 Bytes 11/19/2009 15:21:26
VBASE005.VDF : 7.10.1.4 2048 Bytes 11/19/2009 15:21:27
VBASE006.VDF : 7.10.1.5 2048 Bytes 11/19/2009 15:21:27
VBASE007.VDF : 7.10.1.6 2048 Bytes 11/19/2009 15:21:28
VBASE008.VDF : 7.10.1.7 2048 Bytes 11/19/2009 15:21:28
VBASE009.VDF : 7.10.1.8 2048 Bytes 11/19/2009 15:21:29
VBASE010.VDF : 7.10.1.9 2048 Bytes 11/19/2009 15:21:29
VBASE011.VDF : 7.10.1.10 2048 Bytes 11/19/2009 15:21:30
VBASE012.VDF : 7.10.1.11 2048 Bytes 11/19/2009 15:21:30
VBASE013.VDF : 7.10.1.79 209920 Bytes 11/25/2009 15:20:15
VBASE014.VDF : 7.10.1.128 197632 Bytes 11/30/2009 15:22:18
VBASE015.VDF : 7.10.1.178 195584 Bytes 12/7/2009 15:21:18
VBASE016.VDF : 7.10.1.179 2048 Bytes 12/7/2009 15:21:19
VBASE017.VDF : 7.10.1.180 2048 Bytes 12/7/2009 15:21:20
VBASE018.VDF : 7.10.1.181 2048 Bytes 12/7/2009 15:21:20
VBASE019.VDF : 7.10.1.182 2048 Bytes 12/7/2009 15:21:21
VBASE020.VDF : 7.10.1.183 2048 Bytes 12/7/2009 15:21:22
VBASE021.VDF : 7.10.1.184 2048 Bytes 12/7/2009 15:21:23
VBASE022.VDF : 7.10.1.185 2048 Bytes 12/7/2009 15:21:23
VBASE023.VDF : 7.10.1.186 2048 Bytes 12/7/2009 15:21:24
VBASE024.VDF : 7.10.1.187 2048 Bytes 12/7/2009 15:21:24
VBASE025.VDF : 7.10.1.188 2048 Bytes 12/7/2009 15:21:25
VBASE026.VDF : 7.10.1.189 2048 Bytes 12/7/2009 15:21:25
VBASE027.VDF : 7.10.1.190 2048 Bytes 12/7/2009 15:21:26
VBASE028.VDF : 7.10.1.191 2048 Bytes 12/7/2009 15:21:26
VBASE029.VDF : 7.10.1.192 2048 Bytes 12/7/2009 15:21:27
VBASE030.VDF : 7.10.1.193 2048 Bytes 12/7/2009 15:21:28
VBASE031.VDF : 7.10.1.219 179712 Bytes 12/11/2009 18:33:59
Engineversion : 8.2.1.108
AEVDF.DLL : 8.1.1.2 106867 Bytes 9/18/2009 15:07:19
AESCRIPT.DLL : 8.1.3.2 582010 Bytes 12/10/2009 15:22:07
AESCN.DLL : 8.1.3.0 127348 Bytes 12/10/2009 15:22:01
AESBX.DLL : 8.1.1.1 246132 Bytes 11/19/2009 15:37:38
AERDL.DLL : 8.1.3.4 479605 Bytes 12/1/2009 15:24:29
AEPACK.DLL : 8.2.0.3 422261 Bytes 11/8/2009 01:22:14
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 08:59:39
AEHEUR.DLL : 8.1.0.186 2183544 Bytes 12/7/2009 15:23:31
AEHELP.DLL : 8.1.8.0 237942 Bytes 12/7/2009 15:23:06
AEGEN.DLL : 8.1.1.80 364917 Bytes 12/7/2009 15:23:01
AEEMU.DLL : 8.1.1.0 393587 Bytes 10/3/2009 16:46:25
AECORE.DLL : 8.1.9.1 180598 Bytes 12/10/2009 15:21:57
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 13:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 07:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/18/2009 15:07:23
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 13:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 09:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 14:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 09:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 14:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 07:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 09:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 14:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/19/2009 15:37:36

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, December 13, 2009 20:56

Starting search for hidden objects.
'35470' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'SUPERAntiSpyware.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'LightScribeControlPanel.exe' - '1' Module(s) have been scanned
Scan process 'AWC.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'AAWTray.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'SMax4.exe' - '1' Module(s) have been scanned
Scan process 'SMax4PNP.exe' - '1' Module(s) have been scanned
Scan process 'StartSkysolSvc.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'SeaPort.exe' - '1' Module(s) have been scanned
Scan process 'MSCamS32.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'FsUsbExService.Exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'BTNtService.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'AAWService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
48 processes with 48 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '79' files ).


Starting the file scan:

Begin scan in 'C:\' <Karin 160GB>
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'
Begin scan in 'F:\'


End of the scan: Sunday, December 13, 2009 22:29
Used time: 1:32:45 Hour(s)

The scan has been done completely.

16797 Scanned directories
597672 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
597670 Files not concerned
21086 Archives were scanned
2 Warnings
1 Notes
35470 Objects were scanned with rootkit scan
0 Hidden objects were found



11 OBJECTS IN QUARANTINE.

Will be waiting for my next assignment.

Thanks again

#10 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:22 AM

Posted 13 December 2009 - 06:17 PM

.I just reread your original post. Just exactly what happened?

I returned to FARMVILLE and the pop-up message appeared again,

Can you remember what the message said?

I get a message from Windows Security Centre that I need to “turn on” my Firewall, while it is on.


:trumpet:
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
========================

:flowers:
Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.
--------------------------------------


:thumbsup: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#11 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 13 December 2009 - 07:43 PM

I quickly popped in to see what my homework was. Will do everything first thing in the morning and get back to you with the necessary, along with the explanations.

Thanx Garmanma

#12 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 14 December 2009 - 06:17 AM

QUOTE
I returned to FARMVILLE and the pop-up message appeared again,

Explanation
My explanations may be regarded as useless information and might not even be related to my problem, so please bear with me. I play a lot of games in Face Book which “Farmville” is one of them. (This consists of planting, harvesting, plowing, etc. having animals you need to collect milk, gather feathers, etc.) Not having any problems in the past. On the 8th December Firefox seemed to be operating very slower as usual. I then searched on the internet what the problem could be. A Solution was given where you had to do some changes in the settings. (I think you have them in a Topic here too) which I did. On the 9th December, 1st thing, I went to”Farmville”, as you are given a limited time to harvest your land otherwise it will perish. I was there about 15minutes, when suddenly a message box appeared, stating that I needed to install an anti-virus. It booted me out of FB.I tried to cancel the message but it wouldn’t let me, instead an advertisement “ANTIVIR” appeared, started “scanning” my PC, stating that it was infected and that I needed to buy the product. Needless to say that the ‘UNINSTALL” didn’t work and “ANTIVIR” was nowhere to be find in Control Panel, “Add and Remove “.The same result ended as explained in your topic. http://www.bleepingcomputer.com/virus-removal/remove-antivir. I immediately started scanning my PC with Malwarebytes. After that, I then scanned my PC with my Anti-virus. I did everything they required me to do after the scanning’s and the virus was now in quarantine. I uninstalled Firefox and installed it again, as I thought it might have caused the problem also. Later that evening I went back to “Farmville” and whilst there, “ANTIVIR” made its appearance again, with the exact same procedure as it did 1st time. I made a comment in my status in FB that I was having this problem. Friends replied, giving me advice and links to download software, trying to solve my problem. (I think I now have WAY TOO MANY anti-spyware on my pc). The next day one of my friends forwarded me your link with the identified problem I was having. This is when I registered and seek for your help. I never tried to go back to “Farmville” being too afraid to, because, and it may be stupid but in my mind this is where my problems started. Not knowing which is to blame, Farmville or Firefox. Both might not even have to do with the problem. You would know better. :thumbsup: This is the reason why I raised my question.

QUOTE: I get a message from Windows Security Centre that I need to “turn on” my Firewall, while it is on.
This message appears when I restart my Computer, from the icon on the bottom right. “Your Computer might be at risk. You need to turn on your Firewall.” (I think it is what is says). I then go and check and find it to be on.

ROOTREPEAL
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/14 10:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: PCI_NTPNP9710
Image Path: \Driver\PCI_NTPNP9710
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xED823000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Karin\Local Settings\Application Data\Microsoft\Messenger\cheaki37@hotmail.com\SharingMetadata\psy-lence@hotmail.com\DFSR\Staging\CS{7D0BAD3B-ABDB-DE5A-4FED-AD42FFD9DFB5}\39\39-{8F405C86-584C-41F4-B380-34A89AE0F4A1}-v39-{8F405C86-584C-41F4-B380-34A89AE0F4A1}-v39-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Karin\Local Settings\Application Data\Microsoft\Messenger\cheaki37@hotmail.com\SharingMetadata\psy-lence@hotmail.com\DFSR\Staging\CS{7D0BAD3B-ABDB-DE5A-4FED-AD42FFD9DFB5}\44\40-{BD621332-CA24-450F-8146-6C408FC161C0}-v1044-{8F405C86-584C-41F4-B380-34A89AE0F4A1}-v40-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7e2f86e

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7e2f864

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7e2f873

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7e2f87d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf7711fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf7712340

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7e2f882

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf770c0b0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7e2f850

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7e2f855

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf7712418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf7712298

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7e2f88c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7e2f887

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7e2f878

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xeedba0b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86fd01e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86db85b0 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x86f631e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x86e05790 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86fd21e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x850991e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x850991e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x850991e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x850991e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x850991e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x850991e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86e041e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x850731e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_READ]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x86bb5500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x86bb5500 Size: 121

==EOF==

Win32kDiag.exe
Running from: C:\Documents and Settings\Karin\My Documents\Win32kDiag.exe Log file at : C:\Documents and Settings\Karin\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'...

Finished!

START >RUN cmd
It gives me the following message : C:\DIR’ is not recognized as an internal or external command, operable program or batch file.
The log,txt is empty.

Hope this is done all right.

#13 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:04:22 AM

Posted 14 December 2009 - 06:25 PM

Hooked by "" at address 0xf7e2f88c
Hidden Code [Driver: CdfsЅఅ䵃慖, IRP_MJ_PNP]


I'm going to have to refer you to the HJT team


Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 Blondy

Blondy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:22 AM

Posted 14 December 2009 - 08:38 PM

Will do and thank you for your help. I really appreciate it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users