Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

rundll32.exe - Bad Image


  • This topic is locked This topic is locked
52 replies to this topic

#1 median

median

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 05 January 2010 - 12:42 AM

I receive this error on start up, "The application or DLL C:\DOCUME~1\NETWOR~1\ntload.dll is not a valid Windows image. Please check this against your installation diskette." I have already run a reg scan (fsc /scannow), using my XP Pro CD, and upon start up I get the same error. I have also scanned using Malware bytes (latest version) and Housecall, with no resolve. Also, when I attempt to boot in safe mode the attempts are unsuccessful and any attempt to start Kaspersky or SpyBot Search and Destroy fail. Any help?

Thanks,
Aaron

p.s. - I'm running XP Pro SP2, 1GB RAM, AMD 3200 64 BIT.

Edited by jgweed, 05 January 2010 - 12:39 PM.
topic moved. jgw

"There is no way to happiness. Happiness is the way." Buddha


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 55,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:31 AM

Posted 05 January 2010 - 07:52 AM

Generally speaking...IMO, "bad image" errors are probably malware items gumming up the system.

That seems to be confirmed by looking at various links.

See detail comments at http://www.prevx.com/filenames/10364722343...NTLOAD.DLL.html AND others at http://www.google.com/search?hl=en&rls...mp;oq=&aqi=.

I will suggest that your thread be moved to a malware forum here at BC, where some one with expertise in malware can help you. Please take all suggestions/advice from this point on...from either a Mod or someone in that malware forum.

Thanks.

Louis

#3 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 05 January 2010 - 04:50 PM

Thanks,

I attempted to load and use PREVX but, as with the other anti-programs, when I attempt to load it, it crashes and asks if I want to send an error report. I'm assuming that NTLOAD.dll is hindering me from running PREVX, SPYBOT, & KASPERSKY but I'm not sure. Any hints on what I should do here?

Thanks,
Aaron

p.s. - I have a current HIJACK THIS file if needed.

pps - I just found the virus, well at least I think I did. It's on line 04 of HJT.

O4 - HKCU\..\Run: [notepad] rundll32.exe C:\DOCUME~1\NETWOR~1\ntload.dll,_IWMPEvents@0

Edited by median, 05 January 2010 - 05:29 PM.

"There is no way to happiness. Happiness is the way." Buddha


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 06 January 2010 - 03:35 PM

Hello,

Please try the following:

TFC
--------
Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC cleaner that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.



SUPERANTISPYWARE
-----------------------------
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 06 January 2010 - 08:51 PM

Elise,

I cannot load SuperAntiSpyware or any other anti virus/anti malware/anti spyware software. The virus crashes these programs before I can run them. When I attempt to open an EXE I am met with a crash message everytime. Malware byes will open but it does not find the problem. Also, I cannot open in Safe Mode. The virus is stopping me from doing that as well. When I attempt to boot in Safe Mode the computer just restarts.

Aaron

p.s. - [This is an update] I went into MSCONFIG and set my BOOT INI to boot in safe mode. The problem is, the virus has stopped me from booting in safe mode. So booting just runs in circles (I'm on my laptop typing this message). Anyways, I used my XP CD to repair the registry and system files, but now, when I attempt to boot the machine, it goes directly to safe mode, runs really slow, and I receive a message stating that the repair installation cannot boot in safe mode. The machine then restarts and begins the circle again. I am now wondering how I might be able to boot into DOS prompt and change my BOOT INI back to its original. Any help?

Thank again!

Edited by median, 07 January 2010 - 12:55 AM.

"There is no way to happiness. Happiness is the way." Buddha


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 07 January 2010 - 05:14 AM

Ouch, that wan't a good idea :( Please do never attempt to start safe mode using msconfig!!


Please boot in safe mode and see if you can change msconfig back.

If not, locate the following file: c:\windows\pss\boot.ini.backup

Copy that file to c:\

Rename the existing boot.ini to boot.ini.old

Rename boot.ini.backup to boot.ini


However, I somehow understand you did attempt already a repair install??

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 07 January 2010 - 11:22 AM

Yes,
I just finished a repair install, was able to boot in safe mode and scan with SuperAntiSpyware. However, the program did not find my virus (ntload.dll,_IWMPEvents@0, in rundll32.exe). It did get rid of a few other things that I wasn't aware of but not this nasty one. So, Malware byes, Housecall, and SuperAnti don't see the virus upon scan. I think I'm going to go buy Kaspersky and try again. Any suggestions? I believe this virus replicates when you attempt to delete it because I have found it on my own, using Security Task Manager, and when I attempt to delete it using that it just comes back.

Aaron

"There is no way to happiness. Happiness is the way." Buddha


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 07 January 2010 - 12:20 PM

Often malware has more components, if you delete one piece of it, the other pieces will just regenerate it.

Before buying Kaspersky, lets just do an onine scan with it, so you can see for yourself if it detects.

Just a FYI, programs like Kaspersky often have a 30 day trial version, so you can see how it works before deciding to buy.

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 07 January 2010 - 06:53 PM

Ok,
Here is the Kaspersky results for the C drive. I didn't scan the external hard drives but I can later if needed. The scan found two threats that neither housecall nor Malware Bytes found.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, January 7, 2010
Operating system: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, January 07, 2010 18:09:45
Records in database: 3329061
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics:
Objects scanned: 110857
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 05:12:06


File name / Threat / Threats count
C:\WINDOWS\system32\drivers\etc\hosts.20090510-204721.backup Infected: Trojan.Win32.Qhost.mcf 1
C:\WINDOWS\system32\Updater.exe Infected: Backdoor.Win32.MoSucker.30.az 1

Scanning stopped by the user.

"There is no way to happiness. Happiness is the way." Buddha


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 08 January 2010 - 03:00 AM

I cannot load SuperAntiSpyware or any other anti virus/anti malware/anti spyware software. The virus crashes these programs before I can run them. When I attempt to open an EXE I am met with a crash message everytime.

Can you give me the exact error message?

To be on the safe side lets check also the following:


Download and run Win32kDiag:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 08 January 2010 - 12:59 PM

Ok,

WIN32DIAG log showed this:

Running from: C:\ANTIVIRUS STUFF\WIN32DIAG\Win32kDiag.exe

Log file at : C:\Documents and Settings\median\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



Btw, I found a way around my EXE problem. If I just rename Kaspersky (or something else like it) to something like "fluffydog.exe" I can run the program. Actually, ever since I ran the online Kaspersky scan I have not noticed the affects of ntload.dll or rundll32.exe on my system. It usually runs in the background and slows things down, freezes my machine, etc.

Aaron

"There is no way to happiness. Happiness is the way." Buddha


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 08 January 2010 - 01:37 PM

Can you try to rename Super Antispyware to random.exe and run it? If you need more instructions on how to do this, just let me know :(

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 08 January 2010 - 03:17 PM

I renamed Super Anti to flluffydog.exe and ran it in safe mode before. However, it didn't find the virus that I am dealing with. Actually, when browsing the virus keeps attempting to redirect me to other ad sites when I attempt to search google or click on a link in google. So, I guess it is still with me. This thing is vicious.

Aaron

p.s. - I've started another alternate start Super Anti scan (normal mode) and will report back those details when finished. I'm now searching all external drives, along with the C drive, to see if there is something hiding there.

Edited by median, 08 January 2010 - 03:24 PM.

"There is no way to happiness. Happiness is the way." Buddha


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,835 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 08 January 2010 - 03:34 PM

Lets have a look for rootkits here :( Please let me know what browser is redirecting you.

GMER
-------
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 median

median
  • Topic Starter

  • Members
  • 127 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:31 AM

Posted 09 January 2010 - 02:13 PM

Ok here we go...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-09 10:56:39
Windows 5.1.2600 Service Pack 2
Running: 0tdyw1y2.exe; Driver: C:\DOCUME~1\median\LOCALS~1\Temp\ugtdypod.sys


---- System - GMER 1.0.15 ----

Code 8575FB80 ZwEnumerateKey
Code 8575FD18 ZwFlushInstructionCache
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) FsRtlCheckLockForReadAccess
Code \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab) IoIsOperationSynchronous
Code 8575F85E IofCallDriver
Code 8575F606 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E14 5 Bytes JMP F19FA4C0 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
.text ntkrnlpa.exe!IofCallDriver 804EDE00 5 Bytes JMP 8575F863
.text ntkrnlpa.exe!IofCompleteRequest 804EDE90 5 Bytes JMP 8575F60B
.text ntkrnlpa.exe!IoIsOperationSynchronous 804EE54E 5 Bytes JMP F19FA9C0 \??\C:\WINDOWS\system32\drivers\klif.sys (spuper-ptor/Kaspersky Lab)
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805AA912 5 Bytes JMP 8575FD1C
PAGE ntkrnlpa.exe!ZwEnumerateKey 80619412 5 Bytes JMP 8575FB84

---- User code sections - GMER 1.0.15 ----

.text C:\Firefox\firefox.exe[3400] WS2_32.dll!connect 71AB406A 5 Bytes JMP 0292000A
.text C:\Firefox\firefox.exe[3400] WS2_32.dll!send 71AB428A 5 Bytes JMP 0294000A
.text C:\Firefox\firefox.exe[3400] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 0293000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs klif.sys (spuper-ptor/Kaspersky Lab)
AttachedDevice \FileSystem\Fastfat \Fat klif.sys (spuper-ptor/Kaspersky Lab)

---- Modules - GMER 1.0.15 ----

Module \systemroot\system32\drivers\H8SRThyictyuefo.sys (*** hidden *** ) F1C44000-F1C61000 (118784 bytes)
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [556] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1064] 0x024B0000
Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1176] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1348] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1468] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1524] 0x10000000
Library \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1688] 0x10000000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\H8SRThyictyuefo.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRThyictyuefo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRThyictyuefo.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqpkdulkyrq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTealdoyngrg.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcpjtytdbgk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRThyictyuefo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRThyictyuefo.sys
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqpkdulkyrq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTealdoyngrg.dat
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcpjtytdbgk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRThyictyuefo.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRThyictyuefo.sys
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqpkdulkyrq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTealdoyngrg.dat
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTrmootpkvkk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtbbr \\?\globalroot\systemroot\system32\H8SRTcpjtytdbgk.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\IMAIL@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MAPI@
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\run\OptionalComponents\MSFS@

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Administrator\Local Settings\Temp\h8srtmainqt.dll 16451 bytes
File C:\Documents and Settings\median\Local Settings\temp\H8SRTb20c.tmp 343040 bytes executable
File C:\Documents and Settings\median\Local Settings\temp\h8srtmainqt.dll 16451 bytes
File C:\WINDOWS\system32\drivers\H8SRThyictyuefo.sys 40448 bytes executable <-- ROOTKIT !!!
File C:\WINDOWS\system32\H8SRTcpjtytdbgk.dll 40960 bytes executable
File C:\WINDOWS\system32\H8SRTealdoyngrg.dat 236 bytes
File C:\WINDOWS\system32\H8SRTqpkdulkyrq.dll 23040 bytes executable
File C:\WINDOWS\system32\H8SRTrmootpkvkk.dll 36864 bytes executable
File C:\WINDOWS\TEMP\H8SRT8a2a.tmp 244 bytes

---- EOF - GMER 1.0.15 ----

Aaron

p.s. - I think the source of the virus might have been here

http://www1.fastguard-cleaneronpc.net/?p=p...fXZucmVealXM%3D

Also, the virus hijacks my internet connection and redirects me to these sites (so far):

http://www.theproductdepot.net/search-resu...diego+zoo+hotel

http://www.manufacturersdirectory.com/sear...diego+zoo+hotel.

http://scan-mirco-pc-com.com/security1/?ai...TI2MzA5MTYyMw==

http://www.planetaccess.com/search.php

http://www.luckyresults.com/7181/search.ph...759&cid=BPO

http://www.safecompare.com/?mkt=us&key...lanetaccess.com

http://www.safecompare.com/?mkt=us&key...lanetaccess.com

http://www1.fastguard-cleaneronpc.net/?p=p...ZibiZSabw%3D%3D

http://manipulationalcabbalistically.com/r...rants+fallbrook

http://www.ononeworld.com/?mkt=us&keyw...alistically.com

http://www.myshovel.com/search.php?aid=965...0zoo%20discount

Edited by median, 09 January 2010 - 10:17 PM.

"There is no way to happiness. Happiness is the way." Buddha





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users