60 replies to this topic

[fredII]

Last nite I got the WPP malware. Did a search on another computer and got the instructions for removal from bleepingcomputer. At that time, I was able to get into Explorer. Followed the instructions and used a stick to download fixtm.reg and got WPP & svchast temporarily stopped. Got fixexe.reg and followed instructions. Tried to get Malwarebytes to run and it stops it and hjt and others from continuing to run. Now it won't boot all the way and I'm in the BSOD but can access task manager to TRY and run programs. Did successfully run TFC and tried others again but no luck. A number of error scome up when trying to boot that want me to run chkdsk. I can and have but that didn't get rid of the errors. Each time I boot back up I get the error messages and WPP comes back up and I can still go in to task mgr and "stop" it and svchast. I'm really up a creek here and could use your help, got myself good this time. In doing alot of reading here, I see I have a delself.bat on my Desktop. Tried to delete and it and I get blocked (like all the malware softwares), this one says Cannot delete delself" the file or directory is corrupted and unreadable. Don't know if this is relevant but probably is. Tried safe mode a number of different ways but it won't fully boot up there also. Again, I really need the help and thanks in advance.

[Raktor]

Hi, welcome to the WTT Forums. My username is Raktor, and I would be glad to help you with your malware issues. I'd be grateful if you would note the following:

• Absence of symptoms does not always mean the computer is clean
• Please do not run any scans or fixes without my direction.
• Finally, stay with this topic until I give you the final 'All clear' post.

Try this tool, if you can get it over to the infected PC and get it to run.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

[fredII]

Don't know if the my fast reply went thru. Got exehelper to work in safe mode. Looks like it's working from the txt file. exeHelper by Raktor - 09 Build 20090919 Run at 20:17:42 on 09/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Found file C:\WINDOWS\system32\desot.exe Deleting file C:\WINDOWS\system32\desot.exe Found file C:\Program Files\Windows Police Pro\Windows Police Pro.exe Deleting file C:\Program Files\Windows Police Pro\Windows Police Pro.exe Found file C:\WINDOWS\system32\dddesot.dll Deleting file C:\WINDOWS\system32\dddesot.dll Found file C:\WINDOWS\ppp3.dat Deleting file C:\WINDOWS\ppp3.dat Found file C:\WINDOWS\ppp4.dat Deleting file C:\WINDOWS\ppp4.dat Found file C:\WINDOWS\system32\sysnet.dat Deleting file C:\WINDOWS\system32\sysnet.dat Found file C:\WINDOWS\system32\bincd32.dat Deleting file C:\WINDOWS\system32\bincd32.dat Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Thankyou!! Havent rebooted yet.

[Raktor]

1) DDS

Please download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  
  • DDS.txt
  • Attach.txt
• Save both reports to your desktop.

2) RR
Please download RootRepeal.zip.
Save it to your Desktop. Alternate download links here or here.
Please print these instructions, you will not have an Internet connection!
If you have a 3rd party "unzipping" program...use it to open the zipped file...then skip to Step 5. Otherwise...

• Right click on RootRepeal.zip and select "Extract All"....
• Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
• Click on the Browse...button, then click on Desktop, then click OK.
• Once done, check (tick) the Show extracted files box and click Finish.
• Before running RootRepeal:
  • Disconnect from the Internet as your system will be unprotected while using this tool.
    Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
• Open the RootRepeal folder and double-click on RootRepeal.exe to launch it.
• When the program opens, click the Report tab at the bottom, then click the Scan button.
• In the Select Scan, dialog which asks What do you want to include in the scan?, check ALL the boxes.
  
• Click OK.
• In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  The scan can take some time to finish. Do not use the computer while the scan is running.
  When the scan has completed, a list of files will be generated in the RootRepeal window.
• Click on the Save Report button and save it as "rootrepeal.txt" to your desktop.
• Close and exit RootRepeal
• Double-click on the file rootrepeal.txt... Notepad will open... copy/paste the file contents in your next reply.

Make sure to enable your anti-virus, Firewall and any other security programs you disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".

3) What You Will Need To Post:

• DDS logs
• RR log

[fredII]

can I reboot or will I re-infect? I'm still in safe mode and don't have a "desktop" to download too. I can only use the stick to "launch" any of your requests from. Thanks

[Raktor]

Reboot, and it should hopefully go into normal mode.. if not, go back into safe mode. Run DDS & RR. If they don't run, try running exeHelper again, then running them.

[fredII]

Rebooted, wouldn't go to windows, rebooted to safe mode and ran dds.scr, it started and stopped almost immediately. Did run RR and will post log. Ran exehelper again and will post log also. exeHelper by Raktor - 09 Build 20090919 Run at 20:17:42 on 09/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Found file C:\WINDOWS\system32\desot.exe Deleting file C:\WINDOWS\system32\desot.exe Found file C:\Program Files\Windows Police Pro\Windows Police Pro.exe Deleting file C:\Program Files\Windows Police Pro\Windows Police Pro.exe Found file C:\WINDOWS\system32\dddesot.dll Deleting file C:\WINDOWS\system32\dddesot.dll Found file C:\WINDOWS\ppp3.dat Deleting file C:\WINDOWS\ppp3.dat Found file C:\WINDOWS\ppp4.dat Deleting file C:\WINDOWS\ppp4.dat Found file C:\WINDOWS\system32\sysnet.dat Deleting file C:\WINDOWS\system32\sysnet.dat Found file C:\WINDOWS\system32\bincd32.dat Deleting file C:\WINDOWS\system32\bincd32.dat Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- exeHelper by Raktor - 09 Build 20090919 Run at 21:11:36 on 09/22/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/09/22 21:09 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP2 ================================================== Drivers ------------------- Name: 1394BUS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS Address: 0xF7617000 Size: 53248 File Visible: - Signed: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xF75A8000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2180480 File Visible: - Signed: - Status: - Name: ACPIEC.sys Image Path: ACPIEC.sys Address: 0xF78A3000 Size: 11648 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xBA7DD000 Size: 138368 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF74A2000 Size: 95360 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: BATTC.SYS Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS Address: 0xF789F000 Size: 16384 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF79A3000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF7897000 Size: 12288 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys Address: 0xF76A7000 Size: 49536 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS Address: 0xF7657000 Size: 53248 File Visible: - Signed: - Status: - Name: compbatt.sys Image Path: compbatt.sys Address: 0xF789B000 Size: 9344 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF7647000 Size: 36352 File Visible: - Signed: - Status: - Name: drvmcdb.sys Image Path: drvmcdb.sys Address: 0xF745B000 Size: 85024 File Visible: - Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xBA6E0000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF79BB000 Size: 8192 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xBA9C2000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xF7A93000 Size: 4096 File Visible: - Signed: - Status: - Name: Fastfat.SYS Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS Address: 0xBA6F8000 Size: 143360 File Visible: - Signed: - Status: - Name: fltMgr.sys Image Path: fltMgr.sys Address: 0xF7482000 Size: 128896 File Visible: - Signed: - Status: - Name: framebuf.dll Image Path: C:\WINDOWS\System32\framebuf.dll Address: 0xBFF50000 Size: 12288 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF799F000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF74BA000 Size: 125056 File Visible: - Signed: - Status: - Name: GEARAspiWDM.sys Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys Address: 0xF76C7000 Size: 40960 File Visible: - Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806EC000 Size: 81152 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys Address: 0xF7687000 Size: 52736 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys Address: 0xF7697000 Size: 41856 File Visible: - Signed: - Status: - Name: intelide.sys Image Path: intelide.sys Address: 0xF798B000 Size: 5504 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys Address: 0xBA7FF000 Size: 134912 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys Address: 0xBA8AA000 Size: 74752 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF75F7000 Size: 35840 File Visible: - Signed: - Status: - Name: iviaspi.sys Image Path: C:\WINDOWS\system32\drivers\iviaspi.sys Address: 0xF7777000 Size: 20992 File Visible: - Signed: - Status: - Name: iwca.sys Image Path: C:\WINDOWS\system32\DRIVERS\iwca.sys Address: 0xBAAEA000 Size: 249856 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys Address: 0xF7747000 Size: 24576 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF7987000 Size: 8192 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys Address: 0xBAB27000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF7444000 Size: 92032 File Visible: - Signed: - Status: - Name: meiudf.sys Image Path: C:\WINDOWS\System32\Drivers\meiudf.sys Address: 0xBA8F6000 Size: 90208 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys Address: 0xF7757000 Size: 23040 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF7627000 Size: 42240 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys Address: 0xBA743000 Size: 453632 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF776F000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys Address: 0xF7547000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys Address: 0xF793F000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xF787C000 Size: 107904 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF7404000 Size: 182912 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys Address: 0xF792F000 Size: 9600 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys Address: 0xBA3B8000 Size: 12928 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys Address: 0xBAAD3000 Size: 91776 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xF7577000 Size: 38016 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys Address: 0xF7537000 Size: 34560 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys Address: 0xBA82A000 Size: 162816 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF7787000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF7B52000 Size: 574464 File Visible: - Signed: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2180480 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF7AB3000 Size: 2944 File Visible: - Signed: - Status: - Name: ohci1394.sys Image Path: ohci1394.sys Address: 0xF7607000 Size: 61056 File Visible: - Signed: - Status: - Name: OPRGHDLR.SYS Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS Address: 0xF7A50000 Size: 4096 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF770F000 Size: 18688 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF7597000 Size: 68224 File Visible: - Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS Address: 0xF7707000 Size: 28672 File Visible: - Signed: - Status: - Name: pcmcia.sys Image Path: pcmcia.sys Address: 0xF74D9000 Size: 119936 File Visible: - Signed: - Status: - Name: pfc.sys Image Path: C:\WINDOWS\system32\drivers\pfc.sys Address: 0xF7767000 Size: 21248 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2180480 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys Address: 0xF77BF000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF7717000 Size: 19936 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys Address: 0xBAFD0000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys Address: 0xF76D7000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys Address: 0xF76E7000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys Address: 0xF76F7000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys Address: 0xF77CF000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2180480 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys Address: 0xBA7B2000 Size: 174592 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF79A7000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys Address: 0xF76B7000 Size: 57472 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF7517000 Size: 49152 File Visible: No Signed: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF7470000 Size: 73472 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys Address: 0xBA146000 Size: 333184 File Visible: - Signed: - Status: - Name: sscdbhk5.sys Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys Address: 0xF7993000 Size: 5568 File Visible: - Signed: - Status: - Name: ssrtln.sys Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys Address: 0xF780F000 Size: 23488 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys Address: 0xF7999000 Size: 4352 File Visible: - Signed: - Status: - Name: SynTP.sys Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys Address: 0xBAB4A000 Size: 185728 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys Address: 0xBA852000 Size: 360320 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS Address: 0xF77AF000 Size: 20480 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys Address: 0xF7587000 Size: 40704 File Visible: - Signed: - Status: - Name: Udfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Udfs.SYS Address: 0xBA8E5000 Size: 66176 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\system32\DRIVERS\update.sys Address: 0xBA9DA000 Size: 364160 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS Address: 0xF798F000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys Address: 0xF773F000 Size: 26624 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys Address: 0xF7567000 Size: 57600 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS Address: 0xBAEA4000 Size: 143360 File Visible: - Signed: - Status: - Name: USBSTOR.SYS Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS Address: 0xF779F000 Size: 26496 File Visible: - Signed: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys Address: 0xF7737000 Size: 20480 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF7817000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS Address: 0xBA94E000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF7637000 Size: 52352 File Visible: - Signed: - Status: - Name: w29n51.sys Image Path: C:\WINDOWS\system32\DRIVERS\w29n51.sys Address: 0xBAB78000 Size: 3325312 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xF77C7000 Size: 20480 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys:1 Image Path: C:\WINDOWS\win32k.sys:1 Address: 0xF77B7000 Size: 20480 File Visible: No Signed: - Status: - Name: win32k.sys:2 Image Path: C:\WINDOWS\win32k.sys:2 Address: 0xBAA43000 Size: 61440 File Visible: No Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS Address: 0xF7989000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2180480 File Visible: - Signed: - Status: - Name: WudfPf.sys Image Path: WudfPf.sys Address: 0xF7431000 Size: 77568 File Visible: - Signed: - Status: - Name: yk51x86.sys Image Path: C:\WINDOWS\system32\DRIVERS\yk51x86.sys Address: 0xBAEC7000 Size: 297728 File Visible: - Signed: - Status: - Should I try to boot again? Thanks

[Raktor]

Download this Win32kDiag and save to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a Win32kDiag.txt file to your desktop automatically. Attach this log file to your next message.

[fredII]

Tried dds.pif and same result, would start and stop immediately. BTW, I've still got alot of error messages that come up and ask me to run chkdsk. C:\windows\$hf_mig$\KB901190 C:\windows\$hf_mig$\KB915865 C:\windows\$hf_mig$\KB926255 C:WINDOWS\$NtServicePackUninstallNLSDownlevleMapping$ C:\windows\assembly\NativeImages_v2.0.50727_32\Twain I just proceed thru them, don't know if this is part of the issue in not getting windows to come up Thanks

[fredII]

Wow, huge, huge file, it doesnt look like its repeating itself. Im getting hundreds of cannot access: Win32kDiag.exe - Corrupt File C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\dpwsockx.dll and alot of other dlls. It finishes and asks to press any key but all I'm doing is clearing dialog boxes when I click the "ok" box. It's endless. I can't get to the file to give it to you. This is scary. Help

[fredII]

I went back and tried rootrepeal again. Re-read your instructions and found the report tab and was able to check all the boxes as it was shown in your message. Got it to start the run but about 45 seconds in the program stopped. Tried to reboot and again go into safe mode and try again but same result. The previous rootrepeal did not have all the boxes checked, sorry, I messed up. As rootrepeal started it immediately stated at the top "MBR rootkit detected" but it couldn't continue running. As it stands now I can't get the report from win32kdiag, there's just tons of dialog boxes that say things (dll's, Software Distributions dll cache) are corrupt and I can't get the file to finish and give me a txt document to give to you. I also can't highlight the document and copy and paste to you either. If I boot up not in safe mode, it goes to BSOD and I can open task manager to try and execute the softwares you're recommending but I have almost no luck. If I go into safe mode (any of them) I get some luck but some start and stop after a few seconds. Whatever this is, it must be "deep" and be able to thwart the malware removers and detectors. This is getting scary and i'm frustrated. I do thankyou for the help and hope to hear from you tomorrow. From what part of the world are you from BTW. Would like to get more interface time if possible. I'm west coast Calif for your information. 2 kids and all keep us very busy..

[Raktor]

We can keep proceeding, but this is going to be a tough one, and I'm not entirely sure what the outcome is going to be. Do you still have the original CDs to perform a format and reinstall, and do you think that's feasible in this situation? I'm in Melbourne, Australia. Just hit 4:30pm here.

[fredII]

Raktor, thanks. I'm responding from work. I'm not sure I have the cd's but I'll check. I assume this reformat and reinstall would kill all the files in the computer? I've got all our family photos in there so you can see the wife would kill me, especially since today is our anniversary. Is there any way in safe mode I can get access to my photo folders and put them on a seperate drive even if it was infected? I'm assuming that the malware is residing elsewhere in the master boot and other places, probably not in these folders. I'd like to proceed with other "tools" than going to a total reformat. Thanks Raktor

[fredII]

Raktor, I'm back on the wife's computer and able to try new alternatives. Thanks

[fredII]

I found the microsoft office software disk and the original toshiba recovery/applications disk that came with it. In reading up on this elsewhere the toshiba disk would totally wipe the drive and reinstall. I don't know if there is the "repair" option that would leave my other files and just replace windows OS. Do you think this situation is in the OS and a "repair" gets deep enough? Thanks