Need to remove TROJAN:WIN32?FakeScanti

[Twylla]

Scanned again over 2 1/2 hrs, when I went to save it, wouldn't let me name it
and froze up then disappeared.  Started the scan again and the computer
restarted itself.  Not sure If I should do it again or not, seems to be some
sort of glitch happening.

[SuperDave]

Ok. Let's try another one. 

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

[Twylla]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:                2010/08/15 00:12
Program Version:                Version 1.3.5.0
Windows Version:                Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9FDFE000     Size: 49152     File Visible: No        Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\Fifoed\A0001104.exe
Status: Could not get file information (Error 0xc0000008)

Path: C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP13\A0004451.rbf
Status: Locked to the Windows API!

Path: C:\System Volume
Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP13\A0004590.rbf
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Temporary Internet
Files\Content.IE5\GE67E3S2\quota_bg-86245791[1].gif
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeIn Host
Software.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeIn Host
Software.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeInBootstrapper.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Sherry\Local
Settings\Apps\2.0\YJ35ZCX8.61Y\5OVG2LMG.M1W\manifests\LogMeInBootstrapper.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 025  Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df52a0

#: 031  Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df334e

#: 047  Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df4fd0

#: 048  Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5140

#: 050  Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5e10

#: 052  Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df58ae

#: 053  Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df67d0

#: 068  Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5450

#: 097  Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2ea0

#: 116  Function Name: NtOpenFile
Status: Hooked by "kl1.sys" at address 0xf70d0030

#: 122  Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df4dc0

#: 125  Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5c3e

#: 173  Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6436

#: 200  Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3930

#: 206  Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6740

#: 213  Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6b00

#: 224  Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df70c0

#: 237  Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1af0

#: 240  Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5a90

#: 254  Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df66f0

#: 255  Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df31b0

#: 257  Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS" at address
0xa0eb0620

#: 277  Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df5310

Shadow SSDT
-------------------
#: 013  Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3080

#: 307  Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df3a10

#: 378  Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2b10

#: 383  Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a00

#: 414  Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a80

#: 416  Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1a40

#: 460  Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2a10

#: 475  Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6ea0

#: 476  Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df2ac0

#: 502  Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df1f90

#: 549  Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6cf0

#: 552  Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xa0df6ef0

==EOF==

[SuperDave]

Please download TDSSKiller from here and save it to your Desktop.

• Doubleclick TDSSKiller.exe to run the tool
  
• Click the Start Scan button (If prompted with a "hidden service warning" do go ahead and delete it.)
  
  
• After the scan has finished, click the Close button
  
• Click the Report button and copy/paste the contents of it into your next reply
  
• Note:It will also create a log in the C:\ directory.