Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
MalwareByte's Anti-Malware Download

> 

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

2 Pages V   1 2 >  
Reply to this topicStart new topic
> Oh my GOD!! I think im infected with a ROOTKIT. PLS HELP!, No wonder things were wierd.
vladmir21
post Jun 30 2009, 04:45 AM
Post #1


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
Hi all,
Its making sense now.
A couple of weeks ago, i tried runing a Hijackthis log just for fun, i have the latest TrendMicro version, and it simply wouldnt run.
I then tried to uninstall it, thinking that it must somehow have been corrupted, so i go into add-remove programs to remove it,
but it just stays there! the icon, that is.
I still didnt think anything of it, and i just let it go.
I thought that was wierd, but i was so buzy with my work and we are in the process of moving to a new home, that i didnt investigate further.

Then, i started to get problems with getting any CD or DVD to burn, i got errors from Nero, CDburnerXP, imgburn, Ashampoo etc.
Nero was telling me "you need admin rights to continue this operation" when i am the admin damnit, this is my computer!

Today, just a half hour before posting this, i tried to install DVD Decrypter.
When i proceeded to open it, ckeck out the error.

I typed that error in, and this is what i found:
http://forum.imgburn.com/lofiversion/index.php/t9862.html
QUOTE
txnhockey
Jun 18 2009, 01:01 AM
Just to let you all know. I was getting the same problem.
Nothing could burn - Nero, CD BurnXP, etc

Ran AVG Rootkit, it found 2 hidden driver files and renamed them on reboot.
Ran Malwarebytes' Anti-Malware 1.38 and it found 26 infect files associated to the SKYNET Trojan.

Every program burns now, no problems.

Thank god ImgBurn actually has a useful console or I never would have known why my drive was not being seen
eSkRo
Jun 18 2009, 01:48 AM
looks like AVG Anti-Rootkit might be a winner!!!
LIGHTNING UK!
Jun 18 2009, 08:02 AM
That's weird too because it dates back to something like 2007!


HMM! i thought, no way, this could be a rootkit?! oh ****.
So, i install Malwarebytes Anti-malware, and guess what, IT DOSENT RUN!!
It is not loading, what am i to do?
i double-click on it, and it just stays there, doing nothing.

Help me experts please!!! blink.gif
Go to the top of the page
 
+Quote Post
vladmir21
post Jun 30 2009, 04:51 AM
Post #2


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
btw, there is no AVG anti-rootkit download available anymore.
instead of a 460+KB file, it starts downloading the whole AVG software thats like 80MB.
Go to the top of the page
 
+Quote Post
vladmir21
post Jun 30 2009, 05:17 AM
Post #3


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
Oh now whats this?!!!

http://www.bleepingcomputer.com/forums/ind...mber+of+secrets

i was checking out searching the term in google.
A senior member had recommended to him a program called rootrepeal

I installed it and ran a scan for drivers, it found this.




I typed the beginning of that entry gxvxc as it was common to them all, and something about not being able to access gmail came up.
Now i do have a gmail account, but i only use my yahoo account.

well, as it turns out, MY GMAIL ACCOUNT DOSENT WORK ANYMORE.
i simply cannot login, even though i know the correct username and password.

WTF kind of a virus is this??????????????

What should i do in rootrepeal?
It has options to "force delete" etc. but i really dont want to self-medicate, you know what i mean.
Go to the top of the page
 
+Quote Post
vladmir21
post Jun 30 2009, 05:20 AM
Post #4


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
http://www.geekstogo.com/forum/Trojan-Prev...xc-t240772.html

thats exactly like my problem, the same gxvxc thing.
Even he says that suddenly "the burning programs stopped recognizing my DVD-R drive"

but while he can do the scan, i cannot.
Go to the top of the page
 
+Quote Post
DaChew
post Jun 30 2009, 05:32 AM
Post #5


Visiting Alien
******

Group: BC Advisor
Posts: 9,354
Joined: 20-May 07
From: millenium falcon and rockytop
Member No.: 131,963
http://www.malwarebytes.org/forums/index.php?showtopic=12709

Here's the original guide from back in March, take your time and follow the directions exactly


--------------------
Chewy
Go to the top of the page
 
+Quote Post
vladmir21
post Jun 30 2009, 06:53 AM
Post #6


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
thanks for the link, i will check it out.
till now i had booted in safe-mode. i clicked on malwarebytes antimalware, and it laded.
so far so good.
THEN IN THE MIDDLE OF THE SCAN, MY LAPTOP JUST TOTALLY SHUT DOWN.
NOT GOOD AT ALL.
as i restarted, i got the chskdisk thing, it was checking the C: partition for consistency, and then booted normally.

This post has been edited by vladmir21: Jun 30 2009, 06:53 AM
Go to the top of the page
 
+Quote Post
DaChew
post Jun 30 2009, 07:09 AM
Post #7


Visiting Alien
******

Group: BC Advisor
Posts: 9,354
Joined: 20-May 07
From: millenium falcon and rockytop
Member No.: 131,963
You have to disable/wipe the rootkit driver with rootrepeal first


--------------------
Chewy
Go to the top of the page
 
+Quote Post
vladmir21
post Jun 30 2009, 10:10 AM
Post #8


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
hi DaChew, ok i deleted the entries found by rootrepeal, and the malwarebytes antimalware scanner ran fine.
let me post the log:
CODE
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/30/2009 7:45:57 PM
mbam-log-2009-06-30 (19-45-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 192084
Time elapsed: 32 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\zeon98.dll (Adware.WinButler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{8756274c-3440-4c8b-ba88-fb0bd100a071}\RP288\A0066053.rbf (Adware.WinButler) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\zeon98.dll (Adware.WinButler) -> Quarantined and deleted successfully.
c:\documents and settings\user\Local Settings\Temp\VideoTools.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxclnbhwwarhfheqqfyhwefrtqfamcjkxgk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxcmpqmdymtesffvilkbmvpijrmsgsxmkco.dll (Trojan.Agent) -> Quarantined and deleted successfully.


Now hijackthis can also run successfully!!

please advice me which scanner i should run next, to make sure its dead and gone.

This post has been edited by vladmir21: Jun 30 2009, 10:11 AM
Go to the top of the page
 
+Quote Post
DaChew
post Jun 30 2009, 12:43 PM
Post #9


Visiting Alien
******

Group: BC Advisor
Posts: 9,354
Joined: 20-May 07
From: millenium falcon and rockytop
Member No.: 131,963
Update MBAM and run a quick scan

Also

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


--------------------
Chewy
Go to the top of the page
 
+Quote Post
vladmir21
post Jul 1 2009, 01:19 AM
Post #10


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
MBAM didnt find anything after updating definitions and doing a quick scan.

I havent actually run the ATF cleaner, just set the options.

here is the log of superantispyware, its detected something called
CODE
Trojan.Unknown Origin
    HKU\.DEFAULT\Software\ColdWare
    HKU\S-1-5-18\Software\ColdWare

Trojan.Agent/Gen-MSFake
    C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP53.TMP


Here is the full log:
QUOTE
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2009 at 11:38 AM

Application Version : 4.26.1006

Core Rules Database Version : 3964
Trace Rules Database Version: 1905

Scan type : Complete Scan
Total Scan Time : 00:42:13

Memory items scanned : 211
Memory threats detected : 0
Registry items scanned : 4677
Registry threats detected : 2
File items scanned : 43808
File threats detected : 161

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@5063785319[2].txt
C:\Documents and Settings\user\Cookies\user@scene_flv[1].txt
C:\Documents and Settings\user\Cookies\user@exchange4media[1].txt
C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[2].txt
C:\Documents and Settings\user\Cookies\user@1384282843[2].txt
C:\Documents and Settings\user\Cookies\user@0376844981[2].txt
C:\Documents and Settings\user\Cookies\user@clickpass[2].txt
C:\Documents and Settings\user\Cookies\user@richmedia.yahoo[2].txt
C:\Documents and Settings\user\Cookies\user@ads-dev.youporn[2].txt
C:\Documents and Settings\user\Cookies\user@mhkeehn.tripod[2].txt
C:\Documents and Settings\user\Cookies\user@dngjkolno9g[2].txt
C:\Documents and Settings\user\Cookies\user@kontera[2].txt
C:\Documents and Settings\user\Cookies\user@youporn[1].txt
C:\Documents and Settings\user\Cookies\user@media6degrees[2].txt
C:\Documents and Settings\user\Cookies\user@1331669608[2].txt
C:\Documents and Settings\user\Cookies\user@0gsmw9jmjda[2].txt
C:\Documents and Settings\user\Cookies\user@ero-advertising[1].txt
C:\Documents and Settings\user\Cookies\user@1236659335[2].txt
C:\Documents and Settings\user\Cookies\user@ads1.indiainfo[2].txt
C:\Documents and Settings\user\Cookies\user@fjxx4o1oqlw[2].txt
C:\Documents and Settings\user\Cookies\user@ads.monster[1].txt
C:\Documents and Settings\user\Cookies\user@5243940908[2].txt
C:\Documents and Settings\user\Cookies\user@61xz4prmztz[2].txt
C:\Documents and Settings\user\Cookies\user@webmail.intermedia[2].txt
C:\Documents and Settings\user\Cookies\user@ads.ozonemedia.co[1].txt
C:\Documents and Settings\user\Cookies\user@www.intermedia[2].txt
C:\Documents and Settings\user\Cookies\user@9382965698[2].txt
C:\Documents and Settings\user\Cookies\user@myroitracking[1].txt
C:\Documents and Settings\user\Cookies\user@serving.adsrevenue.clicksor[1].txt
C:\Documents and Settings\user\Cookies\user@delivery[2].txt
C:\Documents and Settings\user\Cookies\user@yadro[2].txt
C:\Documents and Settings\user\Cookies\user@bvztecvxtrg[2].txt
C:\Documents and Settings\user\Cookies\user@7gmqfjibmne[2].txt
C:\Documents and Settings\user\Cookies\user@scene_flv[2].txt
C:\Documents and Settings\user\Cookies\user@djyr2lvqqxo[2].txt
C:\Documents and Settings\user\Cookies\user@2w0uyyswsjv[2].txt
C:\Documents and Settings\user\Cookies\user@socialmedia[1].txt
C:\Documents and Settings\user\Cookies\user@flv[2].txt
C:\Documents and Settings\user\Cookies\user@flv[1].txt
C:\Documents and Settings\user\Cookies\user@532wcadjnbz[2].txt
C:\Documents and Settings\user\Cookies\user@73865167[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.ibibo[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adtech[1].txt
.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
adstats.cdfreaks.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ads-dev.youporn.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.yadro.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.rambler.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.indextools.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.scarleteen.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
joblist.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www6.addfreestats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
adx.bixee.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ads.crakmedia.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ad3.clickhype.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
stat.dealtime.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.vip.clickzs.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.banner.kiev.ua [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
tracker.conspiracycentral.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
tracker.conspiracycentral.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www7.addfreestats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
s03.flagcounter.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.gostats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
count.rbc.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.myxer.adbureau.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.wareznet.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.ads.ozonemedia.co.in [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
s02.flagcounter.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediawebmonster.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
advertisement.netgull.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.stopzilla.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.weborama.fr [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.bravenet.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
audit.median.hu [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
C:\Documents and Settings\user\Cookies\user@accounts[2].txt
C:\Documents and Settings\user\Cookies\user@ccount[1].txt

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare

Trojan.Agent/Gen-MSFake
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP53.TMP
Go to the top of the page
 
+Quote Post
vladmir21
post Jul 1 2009, 06:02 AM
Post #11


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
well, Uninstalled Nero, then used the 'nero clean tool'. reinstalled.
did this a couple of times.

UltraISO was using the Nero API, when i uninstalled Nero, UltraISO used its own burning software to successfully burn the PS2 ISO to DVD.

Then after installing Nero again, it seems to be working fine, just burned a data DVD with it.

So, i think this thread can be locked, thanks again DaChew.
Go to the top of the page
 
+Quote Post
DaChew
post Jul 1 2009, 06:04 AM
Post #12


Visiting Alien
******

Group: BC Advisor
Posts: 9,354
Joined: 20-May 07
From: millenium falcon and rockytop
Member No.: 131,963
QUOTE
I havent actually run the ATF cleaner, just set the options.


Malware floods temp files with it's crud, I prefer an aggressive cleaning before scans for several reasons

Post that latest MBAM log


--------------------
Chewy
Go to the top of the page
 
+Quote Post
vladmir21
post Jul 1 2009, 06:08 AM
Post #13


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
QUOTE(DaChew @ Jul 1 2009, 06:04 AM) *
QUOTE
I havent actually run the ATF cleaner, just set the options.


Malware floods temp files with it's crud, I prefer an aggressive cleaning before scans for several reasons

Post that latest MBAM log


Ok i will, i dont want to jump the gun in saying that this topic be locked, lol.
I have to go do some errands, i will post the log in a few hours.
a full scan or quick scan?
Go to the top of the page
 
+Quote Post
DaChew
post Jul 1 2009, 06:11 AM
Post #14


Visiting Alien
******

Group: BC Advisor
Posts: 9,354
Joined: 20-May 07
From: millenium falcon and rockytop
Member No.: 131,963
QUOTE
MBAM didnt find anything after updating definitions and doing a quick scan.


That log

We have a couple of other loose ends to tie up also


--------------------
Chewy
Go to the top of the page
 
+Quote Post
vladmir21
post Jul 1 2009, 07:57 AM
Post #15


Member
**

Group: Members
Posts: 33
Joined: 8-May 09
Member No.: 329,745
Hi DaChew, before i post that log, i also want to run a couple of things by you.
I came across this article below:
http://www.malwarebytes.org/forums/index.php?showtopic=12709
And in it the OP talks about:
QUOTE
Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.
.........
You will need to identify which is the CLB driver and here's how.

This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.

It will also carry one of the following prefix's in its filename +random letters+ .sys extension.


I suddenly remembered in the RootRepeal scan that i had come across files ending in .sys in red.

I will post the rootrepeal log below, and also show you a screenshot:
I have got them together based on wether they are 'hooked' or not.


Now the process called vsdatant.sys is probably Zonealarm Firewall that i have.

This entry in the log:
QUOTE
Path: C:\AUTORUN.INF\zhengbo.
Status: Locked to the Windows API!
is from an application called UsbDisk Security, its to protect malware from installing autorun.inf files from or to any USB, so its legit.

WHAT I AM WORRIED ABOUT IS THE SPCF.SYS IN RED IN THE PICTURE.

Also, check this out:

It keeps detecting this remnant, but when i try to wipe it, it comes up not found.

Below is the rootrepeal log:
QUOTE
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/01 18:03
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF45BE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A54000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7354
Image Path: \Driver\PCI_PNP7354
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEB5A6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spcf.sys
Image Path: spcf.sys
Address: 0xF72D0000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\AUTORUN.INF\zhengbo.
Status: Locked to the Windows API!

Path: c:\documents and settings\user\application data\utorrent\resume.dat
Status: Size mismatch (API: 139253, Raw: 139199)

Path: C:\Documents and Settings\user\Application Data\uTorrent\resume.dat.old
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47e93bd

#: 041 Function Name: NtCreateKey
Status: Hooked by "spcf.sys" at address 0xf72d10e0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcf30

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fce60

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spcf.sys" at address 0xf72efca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spcf.sys" at address 0xf72f0032

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcfb0

#: 119 Function Name: NtOpenKey
Status: Hooked by "spcf.sys" at address 0xf72d10c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fc850

#: 160 Function Name: NtQueryKey
Status: Hooked by "spcf.sys" at address 0xf72f010a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spcf.sys" at address 0xf72eff8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fd120

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fd260

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcd80

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x849f11f8 Size: 121

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcrlxbnyltofjwxdpxyvbrfqnsrrirngxn.sys

==EOF==


Thanks for all your help so far!!!
Go to the top of the page
 
+Quote Post
« Next Oldest · Am I infected? What do I do? · Next Newest »
 

2 Pages V   1 2 >
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 9th February 2010 - 09:56 AM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Virus Removal Guides

© 2003-2010 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2010  IPS, Inc.