Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Weird things

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Weird things

Unread postby dizzie » March 23rd, 2009, 12:36 pm

Recently my uncle connected to my wireless network when he came around and he had a virus that changed his adverts into bigger penis adverts(not joking). The next day i turned on my comp and it crashed for the first time, i restarted it and went on internet explorer. When i clicked links it redirected me to ebay, bigger penis site etc.
It doesnt let me update my anti-virus and it redirects my pages which is really annoying
Here is my Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:30:37, on 23/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {F073BDC9-0D67-4ff0-879E-27241C843828} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] "c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\WINDOWS\TEMP\E_S18.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.1.15.dll/206 (file missing)
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D111163-F765-44FA-B3E1-B8D70D3244B0}: NameServer = 85.255.112.186,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5252956-C553-4ED9-B8A4-23256D38A686}: NameServer = 85.255.112.186,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.186,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.186,85.255.112.124
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 13970 bytes
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am
Advertisement
Register to Remove

Re: Weird things

Unread postby dan12 » March 23rd, 2009, 2:43 pm

welcome to malwareremoval forums

My name is Dan, and I will be helping you to remove any infection(s) that you may have.

Please note! that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 23rd, 2009, 2:47 pm

Hi Dan, thanks for the reply, im leaving this page up and refreshing it so i can reply back quicker. Here is my log.
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.5
Ask Toolbar
ATI Control Panel
ATI Display Driver
AVG 8.5
BitComet 1.09
Camera RAW Plug-In for EPSON Creativity Suite
CC_ccProxyExt
ccCommon
CCleaner (remove only)
ccPxyCore
Choice Guard
Corel Paint Shop Pro Photo XI
Corel Snapfire
Corel VideoStudio 12
Customer Experience Enhancement
Easy Internet Sign-up
Enhanced Multimedia Keyboard Solution
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Stylus SX200 Series Printer Uninstall
EPSON Stylus SX200_SX400_TX200_TX400 Manual
EPSON Web-To-Page
Free YouTube to Mp3 Converter version 3.1
Google Toolbar for Internet Explorer
HDExtrem
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB893357)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Deskjet Printer Preload
HP Document Viewer 6.1
HP DVD Play 2.1
HP Imaging Device Functions 7.0
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 6.0
HP Photosmart Premier Software 6.5
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP PSC & OfficeJet 6.1.A
HP Solution Center and Imaging Support Tools 6.1
HP Update
Internet Services
J2SE Runtime Environment 5.0 Update 5
Junk Mail filter update
LiveUpdate 2.7 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mount&Blade
MSN
MSRedist
MSVCRT
MSXML 4.0 SP2 (KB954430)
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton WMI Update
Norton WMI Update
PC-Doctor 5 for Windows
PowerCinema
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
RealPlayer
Registry Mechanic 8.0
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Segoe UI
Silkroad
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SopCast 3.0.0
SPBBC
Spyware Doctor 6.0
SymNet
TVAnts 1.0
Uninstall 1.0.0.1
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VidGIF
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892050
Windows XP Hotfix - KB893066
WinRAR archiver
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am

Re: Weird things

Unread postby dan12 » March 23rd, 2009, 3:09 pm

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

BitComet

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).



AntiVirus
You have a couple of Norton and AVG8, AV's running, you're actually doing more harm than good by running more than one Anti Virus program.
When you do this the programs compete for resources, and the end result is none does it's best and can cause system instability.
I recommend that you choose one that you want to keep.
The other/s I would either uninstall, or disable from startup and use as "on demand" for an occasional scan.

Please note that almost all "free" security software is only free for home/private users.



Registry Cleaners

I notice the presence of RegistryMechanic Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html


Start > Run, type appwiz.cpl and click OK.

Uninstall the following:

AskSearch
AskBarDis
Ask Toolbar


Now close Control Panel.

----------------------------------



Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt


post malwarebytes log and a fresh HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 23rd, 2009, 4:28 pm

Malwarebytes wont open but i did everything else you said to do.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:27:06, on 23/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedi ... t=&gc=1&q=%s
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\WINDOWS\TEMP\E_S18.tmp" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D111163-F765-44FA-B3E1-B8D70D3244B0}: NameServer = 85.255.112.186,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5252956-C553-4ED9-B8A4-23256D38A686}: NameServer = 85.255.112.186,85.255.112.124
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.186,85.255.112.124
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.186,85.255.112.124
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8204 bytes
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am

Re: Weird things

Unread postby dan12 » March 23rd, 2009, 4:32 pm

Please download and try running this: randmbam.exe

It will try to create random names and shortcuts for MBAM if you have it installed already. If this does not work we will try something else.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 23rd, 2009, 4:37 pm

I ran a quick scan without updating and found 11 infections, i then updated and im scanning again now.
Malwarebytes' Anti-Malware 1.34
Database version: 1889
Windows 5.1.2600 Service Pack 2

23/03/2009 20:46:25
mbam-log-2009-03-23 (20-46-25).txt

Scan type: Quick Scan
Objects scanned: 48483
Time elapsed: 1 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\HDExtrem\Uninstall.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am

Re: Weird things

Unread postby dan12 » March 23rd, 2009, 5:01 pm

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows

    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log


RootRepeal - Rootkit Detector
  • Please download the following tool: RootRepeal - Rootkit Detector
  • Direct download link is here: RootRepeal.rar
  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  • Extract the program file to a new folder such as C:\RootRepeal
  • Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the same location where you ran it from, such as C:\RootRepeal
  • Save it as your_name_rootrepeal.txt - where your_name is your forum name
  • This makes it more easy to track who the log belongs to.
  • Then open that log and select all and copy/paste it back on your next reply please.
  • Quit the RootRepeal program.

Post the logs
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 23rd, 2009, 5:16 pm

Service Pack 2 3 23 2009 21:06:11.500
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver viaide.sys
Loaded driver intelide.sys
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver iaStor.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltMgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\AmdK8.sys
Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\Rtnicxp.sys
Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Fdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Flpydisk.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Did not load driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Did not load driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \systemroot\system32\drivers\gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\system32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbccgp.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\USBSTOR.SYS
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdhid.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Did not load driver \SystemRoot\System32\Drivers\Serial.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\drivers\kmixer.sys


rootrepeal got an error and ended i forgot wat it :P
ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/23 21:10
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2580000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ACA000 Size: 8192 File Visible: No
Status: -

Name: gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys
Image Path: C:\WINDOWS\system32\drivers\gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys
Address: 0xF27F3000 Size: 94208 File Visible: -
Status: Hidden from Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF0010000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\gaopdxcounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gaopdxhtqoyxomwkxexsytkkylqcxjqrcwyero.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\sqlite_hzugd1FpXdEEMkZ
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.msn[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.msn[1].txt
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0HC9INC1\imgad[1].jpg
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0HC9INC1\hp_owner@www.burstnet[1].txt
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\0HC9INC1\tmp.edb
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[12].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\NabbNewMusic[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\nabbrLogger[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\nabbrLogger[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\nabbr[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\NDUBZZZZ004-2[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\intel_animated_fragment[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\INTLChannel[2].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\ISMoke-PREV[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\itunesExt[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\j-3731-1[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\j-829-49642[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\jays6pr[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\jordanprev1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\jquery-1.2[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\js[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\keyboard_on[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\ladydriverbanner728x90[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\layout_bg_sm[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\left_arrow[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\legacy[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAMRKXUN.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAN54WNB.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CANLW54M.87&u_h=900&u_w=1440&u_ah=870&u_aw=1440&u_cd=32&u_his=23&u_java=true&dtd=47
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAO1IHWP.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAOE16KY.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAPAQNB8.87&u_h=900&u_w=1440&u_ah=870&u_aw=1440&u_cd=32&u_his=76&u_java=true&dtd=125
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAPD3ES5.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAQ7C9QV.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAQJQX0L.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAQN4LQD.swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAQPMZOR.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAQROPA3.swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAQRWH6H.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAR5YFZX.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAR8ORK2.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CARBRK38.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CARPC860.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CARQ8NV4.87&u_h=900&u_w=1440&u_ah=870&u_aw=1440&u_cd=32&u_his=46&u_java=true&dtd=79
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\carrot[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAS1YO11.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAS3ARAQ.swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAS4NWVX.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CASAIU76.swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CASDABKH.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CASHKRM7.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\blue_starburst[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\BodyBugDustmite[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\BodyBugLouse[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\BodyBugTrypanosomes[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\bottom-left[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\bouncey[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\br3[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\brand[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\btmsag[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\btn_friendsin[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\s670142432_2284262_2262976[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\Satellite[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\Satellite[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\Satellite[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\scanscout[1].json
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\scripts[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\search[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\search[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\search[2].hry&q=y%C4%B1ld%C4%B1z%20tilbe%20bh&cp=15
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\search[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\search[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\blank[10].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\BTV_DR_Q1__TV_468x60[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CA31PC55.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CA6RC3M5.htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\CAAD4RON.swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\images[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[2].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[2].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[3].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[3].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[3].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[4].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[4].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\imgad[4].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\details[2].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\DirectMarch_728x90[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\dl[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\download[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\download[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\download[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\editor_hdr[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\edittopfriends003_z8smwwvr[2].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\ena_57x57[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\enyeniler[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[13].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[14].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[15].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[16].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[17].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[18].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[19].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[20].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[3].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[4].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[5].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[6].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[7].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[8].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[9].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\hot[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\hrd_popular[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\default[10].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\default[11].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\default[12].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\default[13].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\SkinNewsSnippetHeaderImage,0[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\SkinTipDetailHeaderImage,1[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\sleepy[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\snippet-Snapfire-SP-ALL,21[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\spacer[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\spacer[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\style_macek1[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\supra66_pr[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\supraskytopprev[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\swfaddress[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\q710560622_9941[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\q722975879_3702[2].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\q739708444_6406[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\q832294588_6242[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\raquelblog[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=26407[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=27172[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=27172[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=46998[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=60148[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=63483[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=6643[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\REDIRURL=;ord=8092[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\registration[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\render_ads[2].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\UIConnectWithFriends[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\UIRoundedBox_SideSpriteGirlyBlue[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\UIRoundedBox_SpriteGirlyBlue[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\UIRoundedImage[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\UITabGrid[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\ui_div_550[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\uken_bsd_iip_banner_desktop[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\uk_bsd_1.3[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\uk_bsd_9[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n582311541_1925736_2014[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_1038101_2755[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_1112268_9041[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_1223750_9393[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_1331607_6902[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_1435738_8615[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_1525577_3574267[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_489844_4507[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_759666_8492[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_832601_7299[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\n585528739_935408_8973[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\HistoryFrame_13.3.0204.0225[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\history_manager[10].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\moneysafepre1v[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\monitors_on[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\moody[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\SRFB20TT\moreVideosUp[1].pStealth Objects
-------------------
Object: Hidden Module [Name: gaopdxhtqoyxomwkxexsytkkylqcxjqrcwyero.dll]
Process: iexplore.exe (PID: 2700) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: gaopdxhtqoyxomwkxexsytkkylqcxjqrcwyero.dll]
Process: iexplore.exe (PID: 3836) Address: 0x10000000 Size: 49152
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am

Re: Weird things

Unread postby dan12 » March 23rd, 2009, 5:59 pm

Create a NEW folder on your Desktop named: BadFiles


Start Root Repeal and click on the Drivers tab and then click the Scan button.
Then right click on this file: gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys and select Dump File
This will bring up a Dump to file dialog box. Browse or select your Desktop where you created the BadFiles folder.
Then type in the name gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys and save it in that folder.
You can quit Root Repeal now.

Then zip up that file and upload it to: uploads.malwarebytes.org

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista


Do me a quick scan with malwwarebytes

Post the report
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 23rd, 2009, 6:13 pm

Malwarebytes' Anti-Malware 1.34
Database version: 1889
Windows 5.1.2600 Service Pack 2

23/03/2009 22:13:14
mbam-log-2009-03-23 (22-13-14).txt

Scan type: Quick Scan
Objects scanned: 73060
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\HP_Owner\Start Menu\Programs\HDExtrem (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\HP_Owner\Start Menu\Programs\HDExtrem\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am

Re: Weird things

Unread postby dan12 » March 23rd, 2009, 7:18 pm

Start Root Repeal and click on the Drivers tab and then click the Scan button.
Then right click on this file: gaopdxmwxsnqonsoayvxdowkkjkdsmfgxvjnjy.sys Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Now scan with malwarebytes again quick scan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 24th, 2009, 12:23 pm

Malwarebytes' Anti-Malware 1.34
Database version: 1889
Windows 5.1.2600 Service Pack 2

24/03/2009 16:22:06
mbam-log-2009-03-24 (16-22-06).txt

Scan type: Quick Scan
Objects scanned: 62329
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am

Re: Weird things

Unread postby dan12 » March 24th, 2009, 1:25 pm

Can you do me a further RootRepeal scan as I asked previously, then we will use another tool if it's not cleared what I want. :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Weird things

Unread postby dizzie » March 24th, 2009, 1:39 pm

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/03/24 17:33
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF25C8000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AAE000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEF374000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\ntbtlog.txt
Status: Size mismatch (API: 36982, Raw: 36858)

Path: C:\Documents and Settings\HP_Owner\NTUSER.DAT.LOG
Status: Size mismatch (API: 1024, Raw: 126976)

Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-0774DF76.pf
Status: Size mismatch (API: 15182, Raw: 15126)

Path: C:\WINDOWS\Prefetch\VERCLSID.EXE-3667BD89.pf
Status: Size mismatch (API: 15476, Raw: 16768)

Path: C:\WINDOWS\Temp\sqlite_w79jIJDVnJOL1TX
Status: Allocation size mismatch (API: 4096, Raw: 0)
dizzie
Active Member
 
Posts: 9
Joined: April 17th, 2008, 7:11 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 39 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware