I just made an interesting discovery. I have it so that when I get on the internet, a popup box asks me if I want to run scripts. If I say yes, the search links problem is there. This time I clicked no to scripts, and the search links came out ok.
I also have it to prompt on axtive x plugins, but I usually say no to them unless I know the site.
What can be made of this info???
Thanks,
Tim
HI
Remember also that the Malware infections showing in your Hijackthis log did not all belong to the same Malware.
The fact that blocking the javascript files from the Yahoo website or temp.... folders fixes the problem.
1. Could mean you have a bad .js file in your tempory folders that by clicking no blocks it loading, Try CCleaner to clean the folders.
2. Yahoo has a bad .js that is blocked when you click no, so stops the file loading.
You Could try the likes of SDfix to see if it finds anything.
Use instructions http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=23740
Quads
Where do I get CCleaner
Thanks,
Tim
I went back over this topic, and I possible have a dumb question.
I see in other people's scans they have some "HOSTS" entries show up.
Why don't I have any of those? I seem to remember doing something with a host file, had to do with my home automation software, Homeseer, but that was long ago and can't remember now even where it is.
Thanks,
Tim
Hi
The reason you don't have HOSTS entries show up is because more than likely you have a different infection or variation of something that is not the same as someone else. But can still show similar symptoms.
You can look at the HOSTS file Manually with Notepad or use this program to alter the existing HOSTS file or create a new one.
http://www.funkytoad.com/index.php?option=com_content&task=view&id=13
As I am not at the PC physically cleaning, it is hard through the forum, If that fails you may have to do what this person did further up the thread.
http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=31472#M31472
Quads
Ok, I looked around and I find no hosts file. Even used search. Only one found was in drivers folder, and it had an extension I have never seen before.
Thanks,
Tim
willy800 wrote:Ok, I looked around and I find no hosts file. Even used search. Only one found was in drivers folder, and it had an extension I have never seen before.
Thanks,
Tim
OK use Hostxpert link in my last post and you can create a new one. Running the program also finds it if the file exists and opens it.
The "HOSTS" file is in the "drivers/etc" folder and is a hidden file.
Quads
Hello,
I believe my browser has been hijacked. Also, when I run a full scan in NIS it scans less than 5000 files...so I think something is attacking it as well. I've run other antivirus programs suggested in the forums with no success. I've posted my hijack this file below. Can anyone help me?
Regards
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:58 PM, on 6/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://downloads.yahoo.com/internetexplorer/welcome.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {1689C480-0C4E-55E7-17C5-26A0218DFF9A} - C:\WINDOWS\system32\jya.dll (file missing)
O2 - BHO: (no name) - {1689C4F6-0C4B-5297-17B5-57A0218AFF9A} - C:\WINDOWS\system32\jya.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: (no name) - {69893858-E137-7A97-8452-105504862F4B} - C:\WINDOWS\System32\qbnyk.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7CE4C60B-0593-0C3C-986C-79B5132F93CE} - C:\WINDOWS\system32\rwzjjhm.dll (file missing)
O2 - BHO: (no name) - {7CE4C67D-0596-0B4C-981C-08B5132893CE} - C:\WINDOWS\system32\rwzjjhm.dll (file missing)
O2 - BHO: CACABHO Object - {93C69D87-A11D-4FFC-BC56-BE7EE0D235BA} - C:\Program Files\ACASystems\ACACapturePro\scap003p.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B68608A9-CD4B-C39F-16C0-C0D926F95BC0} - C:\WINDOWS\system32\hdklo.dll (file missing)
O2 - BHO: (no name) - {FC871E3A-DFF6-865F-FBDE-F7BD20A94FC6} - C:\WINDOWS\system32\owqoku.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: SketchBook Snapshot.lnk = C:\Program Files\Autodesk\SketchBookPro2010\SketchBookSnapshot.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Launch ACA Capture Pro - {905A31AA-BDD1-44bd-9920-53D34E5953A4} - C:\Program Files\ACASystems\ACACapturePro\SCapPro.exe
O9 - Extra button: (no name) - {9543741D-4E79-4f0d-8E60-A702CDF8B2D2} - C:\Program Files\ACASystems\ACACapturePro\SCapPro.exe
O9 - Extra 'Tools' menuitem: Launch ACA Capture Pro - {9543741D-4E79-4f0d-8E60-A702CDF8B2D2} - C:\Program Files\ACASystems\ACACapturePro\SCapPro.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.0.6.5.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidctl_vsp.closetmaid.com_downloader.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
--
End of file - 12149 bytes
As delphinium stated, please uninstall Spybot (at least for now); it will interfer with the cleanings to follow.
Then load HiJackThis, run a scan and check the following:
O2 - BHO: (no name) - {1689C480-0C4E-55E7-17C5-26A0218DFF9A} - C:\WINDOWS\system32\jya.dll (file missing)
O2 - BHO: (no name) - {1689C4F6-0C4B-5297-17B5-57A0218AFF9A} - C:\WINDOWS\system32\jya.dll (file missing)
O2 - BHO: (no name) - {69893858-E137-7A97-8452-105504862F4B} - C:\WINDOWS\System32\qbnyk.dll (file missing)
\rwzjjhm.dll (file missing)
O2 - BHO: (no name) - {7CE4C67D-0596-0B4C-981C-08B5132893CE} - C:\WINDOWS\system32\rwzjjhm.dll (file missing)
O2 - BHO: (no name) - {B68608A9-CD4B-C39F-16C0-C0D926F95BC0} - C:\WINDOWS\system32\hdklo.dll (file missing)
O2 - BHO: (no name) - {FC871E3A-DFF6-865F-FBDE-F7BD20A94FC6} - C:\WINDOWS\system32\owqoku.dll (file missing)
After checking the above in HJT, click on fixed check. Reboot your system and check if SUPERAntiSpyware scans after this. Save the log file from SAS's scan and post that here. There may be some more to come. Thanks.
Thank you both for your response!
delphinium, I am running NIS 2008 version 15.5.0.23. I don't believe it is corporate.
dbrisendine, I've followed all of your steps. Below is the log from SAS's scan.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 06/27/2009 at 09:54 PM
Application Version : 4.26.1006
Core Rules Database Version : 3952
Trace Rules Database Version: 1894
Scan type : Complete Scan
Total Scan Time : 01:21:44
Memory items scanned : 477
Memory threats detected : 0
Registry items scanned : 6068
Registry threats detected : 0
File items scanned : 36096
File threats detected : 8
Adware.Tracking Cookie
C:\Documents and Settings\Niccola\Cookies\niccola@tacoda[2].txt
C:\Documents and Settings\Niccola\Cookies\niccola@atdmt[2].txt
C:\Documents and Settings\Niccola\Cookies\niccola@at.atwola[2].txt
C:\Documents and Settings\Niccola\Cookies\niccola@casalemedia[1].txt
C:\Documents and Settings\Niccola\Cookies\niccola@doubleclick[1].txt
C:\Documents and Settings\Niccola\Cookies\niccola@questionmarket[2].txt
C:\Documents and Settings\Niccola\Cookies\niccola@advertising[2].txt
C:\Documents and Settings\Niccola\Cookies\niccola@adinterax[2].txt
Hi Joenati:
That does look like an improvement. Did you allow SAS to delete the tracking cookies? Once done, you should disable your system restore in case any copies of the files have been stored there. Update your Norton, which is not corporate, the Lue. confused me, and run a full scan. If Norton can scan normally, you should be good to go.
Consider updating to 2009 as it is a free upgrade, it runs a quick scan two-three times a day, get pulse updates every 10-20 minutes as available, and does all the work for you during idle time. It's a win/win program.
joenati -
How is your system and browser acting now? No more hijacking?
There is one more thing that needs looking into. Do you by any chance work with a Novell Netware network anywhere?
Thanks again for your responses.
I deleted the tracking cookies and installed NIS 2009. Unfortunately the full scan only looked at around 5000 files, way less than it did before. I also still have the hijacking problem with my browser. I am not familiar with a Novell Netware network. Is there a next step?
Thanks!
Joenati,
I believe you have a rootkit active... please donwload and run a GMER scan (ONLY A SCAN, NOTHING ELSE) and attach it here for us to look at. (ATTACH is just below the POST button).
Matt
Matt,
I tried running GMER but it crashed my machine before I could get the log. I was able to get the information below with a quick scan. I'm assuming I have skynet as well.
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-28 20:20:22
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.15 ----
Code 8A0D7E08 ZwEnumerateKey
Code 8A0D32D0 ZwFlushInstructionCache
Code 8A0D7DCE IofCallDriver
Code 8A0D7D96 IofCompleteRequest
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\drivers\SKYNETnmhoymuj.sys (*** hidden *** ) [SYSTEM] SKYNETtakmkkjy <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----
Joe
Hi
Please Try to do a Full GMER scan in Safe Mode as in Normal Mode it is unsuccessful
Quads
Quads,
Unfortunately, the full GMER scan was unsuccessful in safe mode. Is there anything else I can try?
Thanks
hmmmmm
ok lets see if we slit the scan.
In Gmer when it starts up, you will see a list of boxes all ticked.
Untick them all tick "Modules" "libraries" and "services' do a Scan, get the log.
Then Untick them and tick "Services" "Registry" and "Files" to a scan and get log.
I will piece the 2 logs together.
Quads
Quads,
That worked! I've attached the two log files.
Thanks