Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Webroot popup warnings


  • This topic is locked This topic is locked
3 replies to this topic

#1 chuyc

chuyc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 16 January 2010 - 06:16 PM

update - did some searching and found people mentioning contention between spybot and webroot spy sweeper. I found that spybot immunize (which I ran) added a lot of known spyware host entries to my hosts file, except they all loopback to loalhost. I understand this is a safety feature. The threads say that webroot spy sweeper is displaying the popups due to these entries in the hosts file. Do I still have a virus/malware that is trying to go to these sites and webroot is blocking for me, or is webroot checking my hosts and then displaying these popups (hopefully this one)? I've ran symantec, malwarebytes, webroot and ad-aware and they all report no issues.


--------------------------------


Noticed the other day that my laptop started running "Security tool". I didn't install it so it must be virus related. I have Symantec Anti Virus and Lavasoft Ad-Aware and run them weekly for viruses and malware. I immediately ran Symantec and Ad-Aware but Ad-Aware found nothing. Symantec found a couple of issues (sorry can't remember) and it cleaned it up. The next day "Security tool" came up again. I ran the same programs plus Spybot and Malwarebytes Anti-Malware. These apps found and fixed a few issues. I thought I was good but this morning I noticed alerts from Webroot Spy Sweeper that the firewall stopped outgoing attempts to a bunch of questionable sites (known for virus and mal-ware) - 780 so far today. Anyway, not sure what else to try. Please advise. Thx!

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/16 15:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x99423000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAA98000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\HPSLPS008.log
Status: Locked to the Windows API!

Path: c:\documents and settings\owner.homecomputer\local settings\temp\~df2b1b.tmp
Status: Allocation size mismatch (API: 49152, Raw: 0)

Path: c:\documents and settings\owner.homecomputer\local settings\temp\~df604f.tmp
Status: Allocation size mismatch (API: 49152, Raw: 16384)

Path: c:\documents and settings\owner.homecomputer\local settings\temp\~dfe570.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\1H0IRS1R\ping[2].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\5UU7QMNV\index[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\9EZKF1EN\beacon[5].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\AXPU3ABL\index[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Apps\2.0\Q004L1ZN.RAO\HEJ9H8ZN.MPE\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Apps\2.0\Q004L1ZN.RAO\HEJ9H8ZN.MPE\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89106da0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x890eeae0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x890baf80

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x893c5f20

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba9b887e

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x890cc2d8

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8a7cbaa0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8a7cba28

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8908d2c0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8a7c00a8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8a7cbb18

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x890d4d40

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8925cc88

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x891a1420

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x890d39a8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x891d1be8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8911da40

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x890d2188

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8a7cb5f0

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a7cb488

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8a7cbc80

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x89241d68

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x890d6640

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8a7cbc08

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x890d26e0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x890d18d0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba9b8bfe

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89c90090

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x890d6e30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8920f218

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x890d6718

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x890d4818

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x890ba740

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x891fbbb8 Size: 1097

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89105920 Size: 381

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89232020 Size: 3071

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x891922d8 Size: 409

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89106fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89157fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89191a60 Size: 1441

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a77f400 Size: 195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8a7802f0 Size: 130

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8909e110 Size: 109

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x890a6020 Size: 257

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e7c348 Size: 174

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89262290 Size: 1650

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89e1f020 Size: 405

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891af020 Size: 2612

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89072300 Size: 373

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x892142d0 Size: 1461

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e20ea8 Size: 344

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8919e7b0 Size: 2128

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8925b498 Size: 2921

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89d71230 Size: 2303

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89e22ce0 Size: 277

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a7ab180 Size: 3712

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x890d8360 Size: 117

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89063fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89063bc0 Size: 283

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89231a48 Size: 619

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89074ab0 Size: 1361

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x88a62390

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x88ba09f8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x88a62318

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x88a622a0

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x88a65a98

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x88a463f8

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x88a46380

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x889a9930

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x88a65b10

==EOF==



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/16 15:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x99423000 Size: 876544 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAA98000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\HPSLPS008.log
Status: Locked to the Windows API!

Path: c:\documents and settings\owner.homecomputer\local settings\temp\~df2b1b.tmp
Status: Allocation size mismatch (API: 49152, Raw: 0)

Path: c:\documents and settings\owner.homecomputer\local settings\temp\~df604f.tmp
Status: Allocation size mismatch (API: 49152, Raw: 16384)

Path: c:\documents and settings\owner.homecomputer\local settings\temp\~dfe570.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\1H0IRS1R\ping[2].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\5UU7QMNV\index[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\9EZKF1EN\beacon[5].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Temporary Internet Files\Content.IE5\AXPU3ABL\index[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Apps\2.0\Q004L1ZN.RAO\HEJ9H8ZN.MPE\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner.HOMECOMPUTER\Local Settings\Apps\2.0\Q004L1ZN.RAO\HEJ9H8ZN.MPE\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x89106da0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x890eeae0

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x890baf80

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x893c5f20

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba9b887e

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x890cc2d8

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8a7cbaa0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8a7cba28

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8908d2c0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8a7c00a8

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8a7cbb18

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x890d4d40

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8925cc88

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x891a1420

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x890d39a8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x891d1be8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8911da40

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x890d2188

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8a7cb5f0

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a7cb488

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8a7cbc80

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x89241d68

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x890d6640

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8a7cbc08

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x890d26e0

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x890d18d0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba9b8bfe

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89c90090

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x890d6e30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8920f218

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x890d6718

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x890d4818

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x890ba740

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x891fbbb8 Size: 1097

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89105920 Size: 381

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89232020 Size: 3071

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x891922d8 Size: 409

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89106fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89157fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89191a60 Size: 1441

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a77f400 Size: 195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x8a7802f0 Size: 130

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8909e110 Size: 109

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x890a6020 Size: 257

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89e7c348 Size: 174

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89262290 Size: 1650

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89e1f020 Size: 405

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x891af020 Size: 2612

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89072300 Size: 373

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x892142d0 Size: 1461

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89e20ea8 Size: 344

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x8919e7b0 Size: 2128

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8925b498 Size: 2921

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89d71230 Size: 2303

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89e22ce0 Size: 277

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x8a7ab180 Size: 3712

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x890d8360 Size: 117

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89063fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89063bc0 Size: 283

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89231a48 Size: 619

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89074ab0 Size: 1361

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x88a62390

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x88ba09f8

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x88a62318

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x88a622a0

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x88a65a98

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x88a463f8

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x88a46380

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x889a9930

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x88a65b10

==EOF==

Edited by chuyc, 17 January 2010 - 10:57 AM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:04 PM

Posted 23 January 2010 - 09:50 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
[We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 chuyc

chuyc
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 24 January 2010 - 12:11 PM

I consider this issue closed at this point. I removed all the known spyware URLs out of my hosts file and restarted. The Webroot spyware software did not show any popups after restart. I believe this proves that it was a software conflict between webroot and spybot. I then ran a final scan with Symantec, Spybot, Webroot Spy Sweeper, Malwarebytes, etc.. and they all came back clean. A week later and I have not had any issues at all.

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:07:04 PM

Posted 24 January 2010 - 01:57 PM

Hi,

Since this topic appears to be resolved, I will now close it. Thanks for letting us know.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users