Author Topic: Win32 Viruses found on my computer (Read 9895 times)

brookscb · « **on:** August 31, 2009, 12:12:55 AM »

Hi everyone,

My computer was recently infected with a nasty virus, and I stumbled across this site in my search for advice to correct the problem. I'm following Tech's eight step process (I've cleaned temp files, ran avast!, ran SUPERanitspyware, and ran advast!antirootkit). avast! and SUPERantispyware spotted viruses and trojans which I moved to the chest, but my computer is still acting funny (Background of desktop looks different, task manager doesn't work, system restore is messed up). The advast!antirootkit found hidden files, but I'm not sure what to do with these:

Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] DisplayName="륳瞒" **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] DeviceDesc="륳瞒" **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] ProviderName="⟼粐⡬" **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] MFG="솿᠃Ҩ" **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] ReinstallString=".10.1000.4" **HIDDEN**
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] DeviceInstanceIds="d:\swsetup\video\sbdrv\smbus\smbusati.inf" **HIDDEN**

I also created a Hijackthis log:

brookscb · « **Reply #1 on:** August 31, 2009, 12:13:17 AM »

I also created a Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:02 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\M03Z0TRM\aswar[1].exe
C:\DOCUME~1\Colin\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=NET_mmhpset
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [Desktop Software] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /ini "uinstaller.ini" /fromrun /starthidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196632822328
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://vpn.iasishealthcare.com/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9137 bytes

Anyone know where I go from here? Thanks in advance!!

micky77 · « **Reply #2 on:** August 31, 2009, 12:47:49 AM »

You could post the names and locations of any infections found,or better, post the last log results of Avast and superantispyware

brookscb · « **Reply #3 on:** August 31, 2009, 01:17:03 AM »

Is there an easy way to post these log results? I've opened the virus chest in avast! but it won't let me simply copy and paste the list of infected files.

brookscb · « **Reply #4 on:** August 31, 2009, 01:33:15 AM »

I think I figured out how to convert the log to text. Here is a listing of "warnings" found by avast! since I was first infected on 8/11/09. I'll try to figure out how to post my SUPERantispyware log next.

8/11/2009 9:31:13 PM   Colin   3496   Sign of "Win32:VunDrop [Drp]" has been found in "c:\windows\system32\winhelper.dll" file.
8/12/2009 8:19:44 PM   SYSTEM   596   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SKYNETJTIDMTAG.DLL" file.
8/16/2009 6:27:58 PM   Colin   644   Sign of "Win32:Alureon-CM [Rtk]" has been found in "c:\windows\system32\drivers\skynetfofbtowq.sys" file.
8/16/2009 10:01:31 PM   SYSTEM   580   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\winupdate.exe" file.
8/16/2009 10:02:50 PM   SYSTEM   580   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\winupdate.exe" file.
8/16/2009 10:15:51 PM   SYSTEM   580   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50\{0103B648-35C9-4F85-988C-871D07EB37A4}" file.
8/16/2009 10:16:13 PM   SYSTEM   580   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50\{50085654-FE5F-4887-8DA1-BB0C337CCDBC}" file.
8/16/2009 10:16:19 PM   SYSTEM   580   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50\{A970F8E9-629D-4C31-8B31-9FE22172A5C1}" file.
8/16/2009 10:16:23 PM   SYSTEM   580   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50\{8B86EB46-8118-4954-A178-2F33DB5D1699}" file.
8/16/2009 10:18:54 PM   Colin   1784   Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\WINDOWS\system32\logon.exe" file.
8/16/2009 10:40:15 PM   Colin   1784   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP309\A0041001.EXE" file.
8/16/2009 10:56:01 PM   Colin   1784   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041173.DLL" file.
8/16/2009 10:56:12 PM   Colin   1784   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041191.SYS" file.
8/16/2009 11:21:12 PM   Colin   1784   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 23-21-12\{17059B1A-4B40-4B56-8B7F-D2BE508FC7F9}" file.
8/16/2009 11:21:16 PM   Colin   1784   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 23-21-12\{F9E45740-2B82-4DD1-BC47-34783DA69DFE}" file.
8/26/2009 7:11:48 PM   SYSTEM   616   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP309\A0041001.EXE" file.
8/26/2009 7:13:01 PM   SYSTEM   616   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041173.DLL" file.
8/26/2009 7:13:28 PM   SYSTEM   616   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041191.SYS" file.
8/26/2009 7:13:52 PM   SYSTEM   616   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042209.DLL" file.
8/26/2009 7:13:58 PM   SYSTEM   616   Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\SYSTEM VOLUME INFORMATION\_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042226.EXE" file.
8/26/2009 7:56:34 PM   Colin   2924   Sign of "Other:Malware-gen" has been found in "C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-667690a1.zip\vmain.class" file.
8/26/2009 8:22:00 PM   Colin   2924   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\System Volume Information\_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP309\A0041001.exe" file.
8/26/2009 8:22:30 PM   Colin   2924   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\System Volume Information\_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041173.dll" file.
8/26/2009 8:22:34 PM   Colin   2924   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\System Volume Information\_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041191.sys" file.
8/26/2009 8:22:44 PM   Colin   2924   Sign of "Win32:Alureon-CM [Rtk]" has been found in "C:\System Volume Information\_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042209.dll" file.
8/26/2009 8:22:47 PM   Colin   2924   Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\System Volume Information\_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042226.exe" file.
8/26/2009 8:41:26 PM   Colin   2924   Sign of "Win32:Trojan-gen {Other}" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KP6BS1U7\ftp[1].exe" file.
8/26/2009 8:42:21 PM   Colin   2924   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KP6BS1U7\install[1].exe" file.
8/26/2009 8:43:14 PM   Colin   2924   Sign of "Win32:Spyware-gen [Trj]" has been found in "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5Y3CPU7\main[1].exe" file.
8/26/2009 8:46:15 PM   Colin   2924   Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\rdl2C2.tmp.exe" file.

brookscb · « **Reply #5 on:** August 31, 2009, 01:43:23 AM »

Here is my original log from SUPERantispyware, which I ran on 8/16/09. My recent scans have only found tracking cookies.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/16/2009 at 10:15 PM

Application Version : 4.27.1002

Core Rules Database Version : 4058
Trace Rules Database Version: 1998

Scan type : Quick Scan
Total Scan Time : 00:10:46

Memory items scanned : 494
Memory threats detected : 1
Registry items scanned : 420
Registry threats detected : 24
File items scanned : 4894
File threats detected : 54

Trojan.WinUpdate
   C:\WINDOWS\SYSTEM32\WINUPDATE.EXE
   C:\WINDOWS\SYSTEM32\WINUPDATE.EXE
   C:\WINDOWS\Prefetch\WINUPDATE.EXE-0F50C4F5.pf

Trojan.Agent/Gen
   [Wallpaper] C:\WINDOWS\SYSTEM32\CRITICAL_WARNING.HTML
   C:\WINDOWS\SYSTEM32\CRITICAL_WARNING.HTML
   C:\WINDOWS\system32\lowsec\local.ds
   C:\WINDOWS\system32\lowsec\user.ds
   C:\WINDOWS\system32\lowsec\user.ds.lll
   C:\WINDOWS\system32\lowsec

Adware.Tracking Cookie
   C:\Documents and Settings\Colin\Cookies\colin@shopica[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@cdn4.specificclick[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@at.atwola[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@2o7[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@media.adfrontiers[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@toseeka[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@bs.serving-sys[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@collective-media[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@atdmt[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@tacoda[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@advertising[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@richmedia.yahoo[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@ads.belointeractive[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@specificmedia[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@apmebf[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@serving-sys[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@mediaplex[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@statcounter[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@adbrite[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@www.toseeka[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@pro-market[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@burstnet[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@ads.pointroll[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@ad.yieldmanager[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@revsci[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@burstbeacon[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@atwola[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@media6degrees[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@www.burstnet[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@zedo[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@ads.undertone[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@casalemedia[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@yieldmanager[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@www.burstbeacon[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@avgtechnologies.112.2o7[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@insightexpressai[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@specificclick[2].txt
   C:\Documents and Settings\Colin\Cookies\colin@overture[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@statse.webtrendslive[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@doubleclick[1].txt
   C:\Documents and Settings\Colin\Cookies\colin@intermundomedia[2].txt

Rootkit.Agent/Gen
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#start
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#type
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#group
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#imagepath
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main#aid
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main#sid
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main#cmddelay
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main\injector
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main\injector#*
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main\tasks
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETrk.sys
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETcmd.dll
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETlog.dat
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETwsp.dll
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNET.dat
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#0
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#Count
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#NextInstance
   HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#INITSTARTFAILED

Rootkit.Agent/Gen-Skynet
   C:\WINDOWS\SYSTEM32\SKYNETWQWMNRER.DAT
   C:\WINDOWS\SYSTEM32\SKYNETXMOXCPBA.DAT
   C:\WINDOWS\SYSTEM32\SKYNETPQBKSCJX.DLL

Trojan.Agent/Gen-FakeAV[DNS]
   C:\WINDOWS\SYSTEM32\TRZ2CD.TMP
   C:\WINDOWS\TEMP\RDL2C1.TMP.EXE
   C:\WINDOWS\TEMP\_AVAST4_\UNP66092725.TMP

mathboyx215 · « **Reply #6 on:** August 31, 2009, 02:06:28 AM »

Hi.Apparently you infected with the skynet rootkit.Can you please download root repeal from the following link
http://ad13.geekstogo.com/RootRepeal.zip
After you have download it,double click to run it.Then run a scan
After the scan is complete,click on "save report" and save the log where you can find it easily.Then copy and paste the content of the log and post it here

brookscb · « **Reply #7 on:** August 31, 2009, 03:11:17 AM »

mathboyx215, thanks for your response - Here is my rootrepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2009/08/30 20:07
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF75F2000   Size: 57344   File Visible: -   Signed: -
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xF7992000   Size: 19072   File Visible: -   Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74A3000   Size: 187776   File Visible: -   Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000   Size: 2066048   File Visible: -   Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF79EE000   Size: 11648   File Visible: -   Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEEA09000   Size: 138496   File Visible: -   Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF7652000   Size: 57344   File Visible: -   Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF7812000   Size: 60800   File Visible: -   Signed: -
Status: -

Name: aswArKrn.sys
Image Path: C:\DOCUME~1\Colin\LOCALS~1\Temp\aswArKrn.sys
Address: 0xF79AA000   Size: 21888   File Visible: No   Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xF78B2000   Size: 32768   File Visible: -   Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xEC322000   Size: 87424   File Visible: -   Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xEBD08000   Size: 15136   File Visible: -   Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xEE900000   Size: 135168   File Visible: -   Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF77B2000   Size: 41664   File Visible: -   Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF743D000   Size: 96512   File Visible: -   Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA14000   Size: 233472   File Visible: -   Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000   Size: 258048   File Visible: -   Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF715D000   Size: 1400832   File Visible: -   Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA82000   Size: 2433024   File Visible: -   Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA4D000   Size: 217088   File Visible: -   Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCD4000   Size: 606208   File Visible: -   Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000   Size: 286720   File Visible: -   Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7C0F000   Size: 3072   File Visible: -   Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF79EA000   Size: 16384   File Visible: -   Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF7077000   Size: 376320   File Visible: -   Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AF0000   Size: 4224   File Visible: -   Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79E2000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: camc6aud.sys
Image Path: C:\WINDOWS\system32\drivers\camc6aud.sys
Address: 0xF76B2000   Size: 38016   File Visible: -   Signed: -
Status: -

Name: camc6hal.sys
Image Path: C:\WINDOWS\system32\drivers\camc6hal.sys
Address: 0xF6FD2000   Size: 349312   File Visible: -   Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xEEB74000   Size: 63744   File Visible: -   Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7672000   Size: 62976   File Visible: -   Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7632000   Size: 53248   File Visible: -   Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7AAE000   Size: 13952   File Visible: -   Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF79E6000   Size: 10240   File Visible: -   Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7622000   Size: 36352   File Visible: -   Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF76C2000   Size: 61440   File Visible: -   Signed: -
Status: -

Name: dsNcAdpt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
Address: 0xF76D2000   Size: 40960   File Visible: -   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE8C0000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B90000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xEE8F0000   Size: 12288   File Visible: -   Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000   Size: 73728   File Visible: -   Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C3C000   Size: 4096   File Visible: -   Signed: -
Status: -

Name: EABFiltr.sys
Image Path: C:\WINDOWS\system32\drivers\EABFiltr.sys
Address: 0xF7AF8000   Size: 7936   File Visible: -   Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF77F2000   Size: 44544   File Visible: -   Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF741D000   Size: 129792   File Visible: -   Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AEE000   Size: 7936   File Visible: -   Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7455000   Size: 125056   File Visible: -   Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7912000   Size: 28672   File Visible: -   Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000   Size: 131840   File Visible: -   Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF6DC8000   Size: 718464   File Visible: -   Signed: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xF6E78000   Size: 1035008   File Visible: -   Signed: -
Status: -

Name: HSFHWATI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
Address: 0xF6F75000   Size: 231424   File Visible: -   Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEBA27000   Size: 264832   File Visible: -   Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7692000   Size: 52480   File Visible: -   Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7662000   Size: 42112   File Visible: -   Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xEEA2B000   Size: 152832   File Visible: -   Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEEBDD000   Size: 75264   File Visible: -   Signed: -
Status: -

brookscb · « **Reply #8 on:** August 31, 2009, 03:12:07 AM »

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75D2000   Size: 37248   File Visible: -   Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF791A000   Size: 24576   File Visible: -   Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7AD2000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB9D6C000   Size: 172416   File Visible: -   Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF7102000   Size: 143360   File Visible: -   Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF73F4000   Size: 92928   File Visible: -   Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xEBF17000   Size: 11840   File Visible: -   Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AF2000   Size: 4224   File Visible: -   Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF792A000   Size: 30080   File Visible: -   Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7922000   Size: 23040   File Visible: -   Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7602000   Size: 42368   File Visible: -   Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xEBECA000   Size: 180608   File Visible: -   Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEE921000   Size: 455296   File Visible: -   Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF796A000   Size: 19072   File Visible: -   Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7712000   Size: 35072   File Visible: -   Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7AC2000   Size: 15488   File Visible: -   Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF730C000   Size: 105344   File Visible: -   Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF733A000   Size: 182656   File Visible: -   Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7AB2000   Size: 10112   File Visible: -   Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xEC6C4000   Size: 14592   File Visible: -   Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6DB1000   Size: 91520   File Visible: -   Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7732000   Size: 40576   File Visible: -   Signed: -
Status: -

Name: NEOFLTR_550_12491.SYS
Image Path: C:\WINDOWS\system32\Drivers\NEOFLTR_550_12491.SYS
Address: 0xF77A2000   Size: 56768   File Visible: -   Signed: -
Status: -

Name: NEOFLTR_630_14121.SYS
Image Path: C:\WINDOWS\system32\Drivers\NEOFLTR_630_14121.SYS
Address: 0xF7792000   Size: 57088   File Visible: -   Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF77D2000   Size: 34688   File Visible: -   Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEEABC000   Size: 162816   File Visible: -   Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF76A2000   Size: 61824   File Visible: -   Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7972000   Size: 30848   File Visible: -   Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7367000   Size: 574976   File Visible: -   Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000   Size: 2066048   File Visible: -   Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7CD5000   Size: 2944   File Visible: -   Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF75E2000   Size: 61696   File Visible: -   Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7B9B000   Size: 4096   File Visible: -   Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF785A000   Size: 19712   File Visible: -   Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7492000   Size: 68224   File Visible: -   Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7B9A000   Size: 3328   File Visible: -   Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7852000   Size: 28672   File Visible: -   Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF7474000   Size: 120192   File Visible: -   Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000   Size: 2066048   File Visible: -   Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6FAE000   Size: 147456   File Visible: -   Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6DA0000   Size: 69120   File Visible: -   Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF793A000   Size: 17792   File Visible: -   Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7862000   Size: 20000   File Visible: -   Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF72BB000   Size: 8832   File Visible: -   Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76E2000   Size: 51328   File Visible: -   Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76F2000   Size: 41472   File Visible: -   Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7702000   Size: 48384   File Visible: -   Signed: -
Status: -

brookscb · « **Reply #9 on:** August 31, 2009, 03:12:40 AM »

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7942000   Size: 16512   File Visible: -   Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000   Size: 2066048   File Visible: -   Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEE9B9000   Size: 175744   File Visible: -   Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7AF4000   Size: 4224   File Visible: -   Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7682000   Size: 57600   File Visible: -   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9FD5000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: Rtlnicxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
Address: 0xF7028000   Size: 74496   File Visible: -   Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF7982000   Size: 24576   File Visible: -   Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xF78AA000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xEE9E4000   Size: 151552   File Visible: -   Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xF703B000   Size: 79232   File Visible: -   Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF740B000   Size: 73472   File Visible: -   Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7326000   Size: 81920   File Visible: No   Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEBE50000   Size: 333952   File Visible: -   Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7AE8000   Size: 4352   File Visible: -   Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF70D3000   Size: 190400   File Visible: -   Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEC2A2000   Size: 60800   File Visible: -   Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEEB84000   Size: 361600   File Visible: -   Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7932000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7722000   Size: 40704   File Visible: -   Signed: -
Status: -

Name: tifm21.sys
Image Path: C:\WINDOWS\system32\drivers\tifm21.sys
Address: 0xF704F000   Size: 162176   File Visible: -   Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6C7A000   Size: 384768   File Visible: -   Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AE6000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF790A000   Size: 30208   File Visible: -   Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7762000   Size: 59520   File Visible: -   Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7902000   Size: 17152   File Visible: -   Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7125000   Size: 147456   File Visible: -   Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7962000   Size: 20992   File Visible: -   Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7149000   Size: 81920   File Visible: -   Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7612000   Size: 52352   File Visible: -   Signed: -
Status: -

Name: vsdatant.sys
Image Path: C:\WINDOWS\System32\vsdatant.sys
Address: 0xEEA51000   Size: 438272   File Visible: -   Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF77C2000   Size: 34560   File Visible: -   Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7892000   Size: 20480   File Visible: -   Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEC0DD000   Size: 83072   File Visible: -   Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000   Size: 1847296   File Visible: -   Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000   Size: 1847296   File Visible: -   Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xF7AA6000   Size: 8832   File Visible: -   Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7AD4000   Size: 8192   File Visible: -   Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000   Size: 2066048   File Visible: -   Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF7A82000   Size: 12032   File Visible: -   Signed: -
Status: -

mathboyx215 · « **Reply #10 on:** August 31, 2009, 04:03:57 AM »

Could you please download malwarebytes http://filehippo.com/download_malwarebytes_anti_malware/
After you have it installed,go to the update tab and click on "check for update".
After you have update it,run a full scan.If malwarebytes find any infected item after the scan completes,click on "remove selected".
If the program ask for you to restart your computer,please do so.
Then post back a log from malwarebytes

brookscb · « **Reply #11 on:** August 31, 2009, 04:15:23 AM »

Only three seconds into my scan, I got the following message:

Run-time error '5':
Invalid procedure call or argument

I tried running it again, and I got the same message.

mathboyx215 · « **Reply #12 on:** August 31, 2009, 04:19:39 AM »

Quote from: brookscb on August 31, 2009, 04:15:23 AM

Only three seconds into my scan, I got the following message:

Run-time error '5':
Invalid procedure call or argument

I tried running it again, and I got the same message.

Can you reinstall malwarebytes and this time rename mbam.exe to something like toy.exe or xxx.exe
This time,run a quick scan instead of a full scan.

brookscb · « **Reply #13 on:** August 31, 2009, 04:36:18 AM »

I renamed the exe setup file, but got the same error message after trying to scan.

mathboyx215 · « **Reply #14 on:** August 31, 2009, 05:05:16 AM »

Could you try to run malwarebytes in safe mode?

Author Topic: Win32 Viruses found on my computer (Read 9895 times)

brookscb

Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

micky77

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

mathboyx215

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

mathboyx215

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

mathboyx215

Re: Win32 Viruses found on my computer

brookscb

Re: Win32 Viruses found on my computer

mathboyx215

Re: Win32 Viruses found on my computer