Windows Update (error number: Error number: 0x8024D007) is not working along with internet explorer ("The requested lookup key was not found in any active activation context"). MBAM keeps detecting hijack.windowsupdates.
Note: If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode. You can also try renaming it since some malware blocks GMER.
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2010/01/04 14:29 Program Version: Version 1.3.5.0 Windows Version: Windows XP Media Center Edition SP2 ==================================================
SSDT ------------------- #: 011 Function Name: NtAdjustPrivilegesToken Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646bcc
#: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06461aa
#: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646832
#: 041 Function Name: NtCreateKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064734c
#: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064608c
#: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064805c
#: 052 Function Name: NtCreateSymbolicLinkObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06482f4
#: 053 Function Name: NtCreateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645c52
#: 063 Function Name: NtDeleteKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646fb6
#: 065 Function Name: NtDeleteValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647166
#: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645a84
#: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647cde
#: 105 Function Name: NtMakeTemporaryObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064642e
#: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646a0e
#: 122 Function Name: NtOpenProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06457b4
#: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06466be
#: 128 Function Name: NtOpenThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064592c
#: 192 Function Name: NtRenameKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647712
#: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064863a
#: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647a7a
#: 237 Function Name: NtSetSecurityObject Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0646db2
#: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647e8c
#: 247 Function Name: NtSetValueKey Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0647512
#: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06463c8
#: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06465b2
#: 257 Function Name: NtTerminateProcess Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645f56
#: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0645e24
Shadow SSDT ------------------- #: 013 Function Name: NtGdiBitBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a352
#: 122 Function Name: NtGdiDeleteObjectApp Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064aa76
#: 227 Function Name: NtGdiMaskBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a486
#: 233 Function Name: NtGdiOpenDCW Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a936
#: 237 Function Name: NtGdiPlgBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a5c6
#: 292 Function Name: NtGdiStretchBlt Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a6fa
#: 310 Function Name: NtUserBlockInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a1d2
#: 319 Function Name: NtUserCallHwndParamLock Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649424
#: 383 Function Name: NtUserGetAsyncKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649ea2
#: 389 Function Name: NtUserGetClipboardData Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a834
#: 414 Function Name: NtUserGetKeyboardState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649c10
#: 416 Function Name: NtUserGetKeyState Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649d52
#: 460 Function Name: NtUserMessageCall Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06498f4
#: 465 Function Name: NtUserMoveWindow Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064915c
#: 475 Function Name: NtUserPostMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06495a6
#: 476 Function Name: NtUserPostThreadMessage Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649752
#: 491 Function Name: NtUserRegisterRawInputDevices Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649ff2
#: 502 Function Name: NtUserSendInput Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf0649ab6
#: 509 Function Name: NtUserSetClipboardViewer Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064a0e8
#: 529 Function Name: NtUserSetParent Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf06492cc
#: 549 Function Name: NtUserSetWindowsHookEx Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064aadc
#: 552 Function Name: NtUserSetWinEventHook Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf064ad10
Download Dr.Web CureIt to the desktop: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, just let it cure whatever it finds... o Now, go to Settings >> Change Settings o Go to Actions tab >> under Objects section, change the settings to below Infected objects - Cure Incurable objects - Report Suspicious objects - Report o Don't change any other settings
Start the scan again. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Report incurable (means take no actions.. Don't "move", or "rename" or "delete")
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Post DrWeb.csv in your next reply (Open it as Notepad).. Do NOT reboot the computer yet..
Click Run Scan and let the program run uninterrupted
It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
You may need to use more than one post to get it all on the forum.
Please download SysProt AntiRootkit v1.0.1.0 by Swatkat
Next run the file; *Note: If running vista right click and select run as administrator
Once opened, navigate to the log tab and select all the areas including the hȋdden objects only box and click on the create log button
A scan will start and then a window will pop up with two options, select scan all drives
Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.
****************************************************************************************** ****************************************************************************************** No Kernel Hooks found
****************************************************************************************** ****************************************************************************************** No IRP Hooks found