Win32 Viruses found on my computer

Viruses and worms
1

Hi everyone,

My computer was recently infected with a nasty virus, and I stumbled across this site in my search for advice to correct the problem. I’m following Tech’s eight step process (I’ve cleaned temp files, ran avast!, ran SUPERanitspyware, and ran advast!antirootkit). avast! and SUPERantispyware spotted viruses and trojans which I moved to the chest, but my computer is still acting funny (Background of desktop looks different, task manager doesn’t work, system restore is messed up). The advast!antirootkit found hidden files, but I’m not sure what to do with these:

Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] HIDDEN
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] DisplayName=“륳瞒” HIDDEN
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] DeviceDesc=“륳瞒” HIDDEN
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] ProviderName=“⟼粐⡬” HIDDEN
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] MFG=“솿᠃Ҩ” HIDDEN
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] ReinstallString=“.10.1000.4” HIDDEN
Registry item [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\D
] DeviceInstanceIds=“d:\swsetup\video\sbdrv\smbus\smbusati.inf” HIDDEN

I also created a Hijackthis log:

2

I also created a Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:02 PM, on 8/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Colin\Local Settings\Temporary Internet Files\Content.IE5\M03Z0TRM\aswar[1].exe
C:\DOCUME~1\Colin\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net?cid=NET_mmhpset
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM..\Run: [HPHmon04] C:\WINDOWS\system32\hphmon04.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Universal Installer] “C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe” /fromrun /starthidden
O4 - HKCU..\Run: [Desktop Software] “C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe” /ini “uinstaller.ini” /fromrun /starthidden
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196632822328
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://vpn.iasishealthcare.com/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\shared\hpqwmi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\system32\HPHipm11.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 9137 bytes

Anyone know where I go from here? Thanks in advance!!

3

You could post the names and locations of any infections found,or better, post the last log results of Avast and superantispyware

4

Is there an easy way to post these log results? I’ve opened the virus chest in avast! but it won’t let me simply copy and paste the list of infected files.

5

I think I figured out how to convert the log to text. Here is a listing of “warnings” found by avast! since I was first infected on 8/11/09. I’ll try to figure out how to post my SUPERantispyware log next.

8/11/2009 9:31:13 PM Colin 3496 Sign of “Win32:VunDrop [Drp]” has been found in “c:\windows\system32\winhelper.dll” file.
8/12/2009 8:19:44 PM SYSTEM 596 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\WINDOWS\SYSTEM32\SKYNETJTIDMTAG.DLL” file.
8/16/2009 6:27:58 PM Colin 644 Sign of “Win32:Alureon-CM [Rtk]” has been found in “c:\windows\system32\drivers\skynetfofbtowq.sys” file.
8/16/2009 10:01:31 PM SYSTEM 580 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\winupdate.exe” file.
8/16/2009 10:02:50 PM SYSTEM 580 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\winupdate.exe” file.
8/16/2009 10:15:51 PM SYSTEM 580 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50{0103B648-35C9-4F85-988C-871D07EB37A4}” file.
8/16/2009 10:16:13 PM SYSTEM 580 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50{50085654-FE5F-4887-8DA1-BB0C337CCDBC}” file.
8/16/2009 10:16:19 PM SYSTEM 580 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50{A970F8E9-629D-4C31-8B31-9FE22172A5C1}” file.
8/16/2009 10:16:23 PM SYSTEM 580 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 22-15-50{8B86EB46-8118-4954-A178-2F33DB5D1699}” file.
8/16/2009 10:18:54 PM Colin 1784 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\WINDOWS\system32\logon.exe” file.
8/16/2009 10:40:15 PM Colin 1784 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP309\A0041001.EXE” file.
8/16/2009 10:56:01 PM Colin 1784 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041173.DLL” file.
8/16/2009 10:56:12 PM Colin 1784 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041191.SYS” file.
8/16/2009 11:21:12 PM Colin 1784 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 23-21-12{17059B1A-4B40-4B56-8B7F-D2BE508FC7F9}” file.
8/16/2009 11:21:16 PM Colin 1784 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Colin\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 08-16-2009 - 23-21-12{F9E45740-2B82-4DD1-BC47-34783DA69DFE}” file.
8/26/2009 7:11:48 PM SYSTEM 616 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP309\A0041001.EXE” file.
8/26/2009 7:13:01 PM SYSTEM 616 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041173.DLL” file.
8/26/2009 7:13:28 PM SYSTEM 616 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041191.SYS” file.
8/26/2009 7:13:52 PM SYSTEM 616 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042209.DLL” file.
8/26/2009 7:13:58 PM SYSTEM 616 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\SYSTEM VOLUME INFORMATION_RESTORE{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042226.EXE” file.
8/26/2009 7:56:34 PM Colin 2924 Sign of “Other:Malware-gen” has been found in “C:\Documents and Settings\Colin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-667690a1.zip\vmain.class” file.
8/26/2009 8:22:00 PM Colin 2924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\System Volume Information_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP309\A0041001.exe” file.
8/26/2009 8:22:30 PM Colin 2924 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\System Volume Information_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041173.dll” file.
8/26/2009 8:22:34 PM Colin 2924 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\System Volume Information_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP310\A0041191.sys” file.
8/26/2009 8:22:44 PM Colin 2924 Sign of “Win32:Alureon-CM [Rtk]” has been found in “C:\System Volume Information_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042209.dll” file.
8/26/2009 8:22:47 PM Colin 2924 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\System Volume Information_restore{4F0E0057-31F7-4576-86AF-A1A85966D9B3}\RP312\A0042226.exe” file.
8/26/2009 8:41:26 PM Colin 2924 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KP6BS1U7\ftp[1].exe” file.
8/26/2009 8:42:21 PM Colin 2924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KP6BS1U7\install[1].exe” file.
8/26/2009 8:43:14 PM Colin 2924 Sign of “Win32:Spyware-gen [Trj]” has been found in “C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W5Y3CPU7\main[1].exe” file.
8/26/2009 8:46:15 PM Colin 2924 Sign of “Win32:Rootkit-gen [Rtk]” has been found in “C:\WINDOWS\Temp\rdl2C2.tmp.exe” file.

6

Here is my original log from SUPERantispyware, which I ran on 8/16/09. My recent scans have only found tracking cookies.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/16/2009 at 10:15 PM

Application Version : 4.27.1002

Core Rules Database Version : 4058
Trace Rules Database Version: 1998

Scan type : Quick Scan
Total Scan Time : 00:10:46

Memory items scanned : 494
Memory threats detected : 1
Registry items scanned : 420
Registry threats detected : 24
File items scanned : 4894
File threats detected : 54

Trojan.WinUpdate
C:\WINDOWS\SYSTEM32\WINUPDATE.EXE
C:\WINDOWS\SYSTEM32\WINUPDATE.EXE
C:\WINDOWS\Prefetch\WINUPDATE.EXE-0F50C4F5.pf

Trojan.Agent/Gen
[Wallpaper] C:\WINDOWS\SYSTEM32\CRITICAL_WARNING.HTML
C:\WINDOWS\SYSTEM32\CRITICAL_WARNING.HTML
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\lowsec\user.ds.lll
C:\WINDOWS\system32\lowsec

Adware.Tracking Cookie
C:\Documents and Settings\Colin\Cookies\colin@shopica[2].txt
C:\Documents and Settings\Colin\Cookies\colin@cdn4.specificclick[2].txt
C:\Documents and Settings\Colin\Cookies\colin@at.atwola[1].txt
C:\Documents and Settings\Colin\Cookies\colin@2o7[2].txt
C:\Documents and Settings\Colin\Cookies\colin@media.adfrontiers[1].txt
C:\Documents and Settings\Colin\Cookies\colin@toseeka[1].txt
C:\Documents and Settings\Colin\Cookies\colin@bs.serving-sys[2].txt
C:\Documents and Settings\Colin\Cookies\colin@collective-media[1].txt
C:\Documents and Settings\Colin\Cookies\colin@atdmt[1].txt
C:\Documents and Settings\Colin\Cookies\colin@tacoda[1].txt
C:\Documents and Settings\Colin\Cookies\colin@advertising[1].txt
C:\Documents and Settings\Colin\Cookies\colin@richmedia.yahoo[1].txt
C:\Documents and Settings\Colin\Cookies\colin@ads.belointeractive[2].txt
C:\Documents and Settings\Colin\Cookies\colin@specificmedia[1].txt
C:\Documents and Settings\Colin\Cookies\colin@apmebf[1].txt
C:\Documents and Settings\Colin\Cookies\colin@serving-sys[1].txt
C:\Documents and Settings\Colin\Cookies\colin@mediaplex[2].txt
C:\Documents and Settings\Colin\Cookies\colin@statcounter[2].txt
C:\Documents and Settings\Colin\Cookies\colin@adbrite[1].txt
C:\Documents and Settings\Colin\Cookies\colin@www.toseeka[2].txt
C:\Documents and Settings\Colin\Cookies\colin@pro-market[1].txt
C:\Documents and Settings\Colin\Cookies\colin@burstnet[1].txt
C:\Documents and Settings\Colin\Cookies\colin@ads.pointroll[2].txt
C:\Documents and Settings\Colin\Cookies\colin@ad.yieldmanager[2].txt
C:\Documents and Settings\Colin\Cookies\colin@revsci[2].txt
C:\Documents and Settings\Colin\Cookies\colin@burstbeacon[1].txt
C:\Documents and Settings\Colin\Cookies\colin@atwola[2].txt
C:\Documents and Settings\Colin\Cookies\colin@media6degrees[1].txt
C:\Documents and Settings\Colin\Cookies\colin@www.burstnet[1].txt
C:\Documents and Settings\Colin\Cookies\colin@zedo[2].txt
C:\Documents and Settings\Colin\Cookies\colin@ads.undertone[2].txt
C:\Documents and Settings\Colin\Cookies\colin@casalemedia[2].txt
C:\Documents and Settings\Colin\Cookies\colin@yieldmanager[1].txt
C:\Documents and Settings\Colin\Cookies\colin@www.burstbeacon[1].txt
C:\Documents and Settings\Colin\Cookies\colin@avgtechnologies.112.2o7[1].txt
C:\Documents and Settings\Colin\Cookies\colin@insightexpressai[2].txt
C:\Documents and Settings\Colin\Cookies\colin@specificclick[2].txt
C:\Documents and Settings\Colin\Cookies\colin@overture[1].txt
C:\Documents and Settings\Colin\Cookies\colin@statse.webtrendslive[1].txt
C:\Documents and Settings\Colin\Cookies\colin@doubleclick[1].txt
C:\Documents and Settings\Colin\Cookies\colin@intermundomedia[2].txt

Rootkit.Agent/Gen
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#start
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#type
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#group
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS#imagepath
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main#aid
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main#sid
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main#cmddelay
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main\injector
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main\injector#*
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\main\tasks
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETrk.sys
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETcmd.dll
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETlog.dat
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNETwsp.dll
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\modules#SKYNET.dat
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#0
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#Count
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#NextInstance
HKLM\System\CURRENTCONTROLSET\SERVICES\SKYNETMHXRSVLS\Enum#INITSTARTFAILED

Rootkit.Agent/Gen-Skynet
C:\WINDOWS\SYSTEM32\SKYNETWQWMNRER.DAT
C:\WINDOWS\SYSTEM32\SKYNETXMOXCPBA.DAT
C:\WINDOWS\SYSTEM32\SKYNETPQBKSCJX.DLL

Trojan.Agent/Gen-FakeAV[DNS]
C:\WINDOWS\SYSTEM32\TRZ2CD.TMP
C:\WINDOWS\TEMP\RDL2C1.TMP.EXE
C:\WINDOWS\TEMP_AVAST4_\UNP66092725.TMP

7

Hi.Apparently you infected with the skynet rootkit.Can you please download root repeal from the following link
http://ad13.geekstogo.com/RootRepeal.zip
After you have download it,double click to run it.Then run a scan
After the scan is complete,click on “save report” and save the log where you can find it easily.Then copy and paste the content of the log and post it here

8

mathboyx215, thanks for your response - Here is my rootrepeal log:

ROOTREPEAL (c) AD, 2007-2009

Scan Start Time: 2009/08/30 20:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3

Drivers

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF75F2000 Size: 57344 File Visible: - Signed: -
Status: -

Name: Aavmker4.SYS
Image Path: C:\WINDOWS\System32\Drivers\Aavmker4.SYS
Address: 0xF7992000 Size: 19072 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74A3000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xF79EE000 Size: 11648 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEEA09000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AmdK8.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdK8.sys
Address: 0xF7652000 Size: 57344 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xF7812000 Size: 60800 File Visible: - Signed: -
Status: -

Name: aswArKrn.sys
Image Path: C:\DOCUME~1\Colin\LOCALS~1\Temp\aswArKrn.sys
Address: 0xF79AA000 Size: 21888 File Visible: No Signed: -
Status: -

Name: aswFsBlk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys
Address: 0xF78B2000 Size: 32768 File Visible: - Signed: -
Status: -

Name: aswMon2.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswMon2.SYS
Address: 0xEC322000 Size: 87424 File Visible: - Signed: -
Status: -

Name: aswRdr.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswRdr.SYS
Address: 0xEBD08000 Size: 15136 File Visible: - Signed: -
Status: -

Name: aswSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswSP.SYS
Address: 0xEE900000 Size: 135168 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: C:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF77B2000 Size: 41664 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF743D000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA14000 Size: 233472 File Visible: - Signed: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000 Size: 258048 File Visible: - Signed: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF715D000 Size: 1400832 File Visible: - Signed: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA82000 Size: 2433024 File Visible: - Signed: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA4D000 Size: 217088 File Visible: - Signed: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCD4000 Size: 606208 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7C0F000 Size: 3072 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF79EA000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF7077000 Size: 376320 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AF0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF79E2000 Size: 12288 File Visible: - Signed: -
Status: -

Name: camc6aud.sys
Image Path: C:\WINDOWS\system32\drivers\camc6aud.sys
Address: 0xF76B2000 Size: 38016 File Visible: - Signed: -
Status: -

Name: camc6hal.sys
Image Path: C:\WINDOWS\system32\drivers\camc6hal.sys
Address: 0xF6FD2000 Size: 349312 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xEEB74000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7672000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7632000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF7AAE000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF79E6000 Size: 10240 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7622000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF76C2000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dsNcAdpt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
Address: 0xF76D2000 Size: 40960 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE8C0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B90000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xEE8F0000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C3C000 Size: 4096 File Visible: - Signed: -
Status: -

Name: EABFiltr.sys
Image Path: C:\WINDOWS\system32\drivers\EABFiltr.sys
Address: 0xF7AF8000 Size: 7936 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF77F2000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF741D000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AEE000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7455000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
Address: 0xF7912000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF6DC8000 Size: 718464 File Visible: - Signed: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xF6E78000 Size: 1035008 File Visible: - Signed: -
Status: -

Name: HSFHWATI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
Address: 0xF6F75000 Size: 231424 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEBA27000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7692000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7662000 Size: 42112 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xEEA2B000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEEBDD000 Size: 75264 File Visible: - Signed: -
Status: -

9

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75D2000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF791A000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7AD2000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB9D6C000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF7102000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF73F4000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xEBF17000 Size: 11840 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AF2000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF792A000 Size: 30080 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7922000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7602000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xEBECA000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEE921000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF796A000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7712000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7AC2000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF730C000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF733A000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF7AB2000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xEC6C4000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6DB1000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7732000 Size: 40576 File Visible: - Signed: -
Status: -

Name: NEOFLTR_550_12491.SYS
Image Path: C:\WINDOWS\system32\Drivers\NEOFLTR_550_12491.SYS
Address: 0xF77A2000 Size: 56768 File Visible: - Signed: -
Status: -

Name: NEOFLTR_630_14121.SYS
Image Path: C:\WINDOWS\system32\Drivers\NEOFLTR_630_14121.SYS
Address: 0xF7792000 Size: 57088 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF77D2000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEEABC000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xF76A2000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7972000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7367000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7CD5000 Size: 2944 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF75E2000 Size: 61696 File Visible: - Signed: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xF7B9B000 Size: 4096 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF785A000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7492000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7B9A000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7852000 Size: 28672 File Visible: - Signed: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF7474000 Size: 120192 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6FAE000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6DA0000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF793A000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7862000 Size: 20000 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF72BB000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76E2000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76F2000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7702000 Size: 48384 File Visible: - Signed: -
Status: -

10

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7942000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEE9B9000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7AF4000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7682000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9FD5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: Rtlnicxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
Address: 0xF7028000 Size: 74496 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF7982000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASENUM.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
Address: 0xF78AA000 Size: 20480 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xEE9E4000 Size: 151552 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xF703B000 Size: 79232 File Visible: - Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF740B000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF7326000 Size: 81920 File Visible: No Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEBE50000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7AE8000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xF70D3000 Size: 190400 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xEC2A2000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEEB84000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7932000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7722000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tifm21.sys
Image Path: C:\WINDOWS\system32\drivers\tifm21.sys
Address: 0xF704F000 Size: 162176 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF6C7A000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7AE6000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF790A000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7762000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7902000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7125000 Size: 147456 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7962000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7149000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7612000 Size: 52352 File Visible: - Signed: -
Status: -

Name: vsdatant.sys
Image Path: C:\WINDOWS\System32\vsdatant.sys
Address: 0xEEA51000 Size: 438272 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF77C2000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7892000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEC0DD000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xF7AA6000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7AD4000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF7A82000 Size: 12032 File Visible: - Signed: -
Status: -

11

Could you please download malwarebytes http://filehippo.com/download_malwarebytes_anti_malware/
After you have it installed,go to the update tab and click on “check for update”.
After you have update it,run a full scan.If malwarebytes find any infected item after the scan completes,click on “remove selected”.
If the program ask for you to restart your computer,please do so.
Then post back a log from malwarebytes

12

Only three seconds into my scan, I got the following message:

Run-time error ‘5’:
Invalid procedure call or argument

I tried running it again, and I got the same message.

13

Can you reinstall malwarebytes and this time rename mbam.exe to something like toy.exe or xxx.exe
This time,run a quick scan instead of a full scan.

14

I renamed the exe setup file, but got the same error message after trying to scan.

15

Could you try to run malwarebytes in safe mode?

16

Unfortunately, the safe mode boot did not work. Now I can’t get windows to start up successfully. I’ve tried booting in safe mode, safe mode with networking, safe mode with command prompt, last know good configuration, and start up windows normally. None of these options work. It just brings me back to the same screen, asking how I would like to boot my computer.

17

About this time I would be looking for my Windows installation CDs before I boot the system over the balcony of my 10th floor apartment.

Googling skynet rootkit and the recovery looks slim.

You could try getting a Avira rescue CD on a non-infected system:
Avira AntiVir Rescue System
http://www.avira.com/en/support/support_downloads.html

18

If you manage to boot the pc then follow the instructions below
The rootkit will be in the files section, not drivers. Run Rootrepeal again , click report > scan> tick all boxes> tick C post the log http://forum.avast.com/index.php?topic=47639.msg402995#msg402995

19

Thanks for all of your responses, but I’m afraid my computer is shot. I still can’t get it to boot. I can’t seem to find my installation CDs either (I must of lost these in my recent move!), so I might be taking it in to a professional. It might be time for a new computer anyways, this thing has crashed three times since I purchased it in 2007.