Superantispyware and Adware.Vundo Variant/Rel

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

Page 1 of 1

You cannot start a new topic
This topic is locked

Superantispyware and Adware.Vundo Variant/Rel

#1 anna22

Member

Group: Members
Posts: 30
Joined: 16-November 09
Gender:Female
Location:California

Posted 16 November 2009 - 03:14 AM

Hi, I'm new here...this is my first post. I've spent a lot of time Googling and haven't been able to fix my problem, so here I am.

Superantispyware keeps telling me that I have Adware.Vundo Variant/Rel on my computer but it won't remove it, no matter how many times I scan and reboot.

Here is the log from my latest scan.
_____________________________________________________________________________

SUPERAntiSpyware Scan Log

http://www.superantispyware.com

Generated 11/15/2009 at 10:40 PM

Application Version : 4.25.1014

Core Rules Database Version : 4276
Trace Rules Database Version: 2154

Scan type : Quick Scan
Total Scan Time : 00:28:12

Memory items scanned : 428
Memory threats detected : 0
Registry items scanned : 426
Registry threats detected : 40
File items scanned : 2572
File threats detected : 0

Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Optimization
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ad.trg
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ad.trg#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ad.trg#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ad.trg#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\filehippo
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\filehippo#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\filehippo#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\filehippo#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\http://forums.majorgeeks.com/showthread.php%3Ft%3D74078
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\mgtools.exe
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\mgtools.exe#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\mgtools.exe#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\mgtools.exe#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ncis
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ncis#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ncis#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\ncis#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sidereel
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sidereel#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sidereel#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\sidereel#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\super+antispyware+free+edition
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\super+antispyware+free+edition#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\super+antispyware+free+edition#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\super+antispyware+free+edition#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\the%2Bnumber%2Bone%2Bladies%2Bdetective%2Bagency
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tvshack
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tvshack#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tvshack#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\tvshack#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\watch+ncis%2C+probie+online
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\watch+ncis%2C+probie+online#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\watch+ncis%2C+probie+online#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\watch+ncis%2C+probie+online#LT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\yieldmanager
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\yieldmanager#LU
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\yieldmanager#CT
HKLM\SOFTWARE\Microsoft\MS Optimization\JKWL\yieldmanager#LT
____________________________________________________________________________

If anyone has suggestions that would be great. Thanks.

#2 garmanma

Computer Masochist

Group: Staff Emeritus
Posts: 27,809
Joined: 27-January 07
Location:Cleveland, Ohio

Posted 17 November 2009 - 10:23 PM

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.

Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
Double-click on mysetup.exe to start the installation.
If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.

Right-click on mbam.exe, rename it to myscan.exe.
Double-click on myscan.exe to launch the program.
If that did not work, then try renaming and change the .exe extension in the same way as noted above.
Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.

If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

Be sure to update MBAM through the program's interface (preferable method) or manually download the definition updates and just double-click on mbam-rules.exe to install. Then perform a Quick Scan in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the report in your next reply.

Note: MBAM uses Inno Setup instead of the Windows Installer Service to install the program. If installation fails in normal mode, try installing in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform another Quick Scan.

------------------------------------

The process of cleaning your computer may require you to temporarily disable some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware Free version and save it to your desktop.

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

alternate download link 1
alternate download link 2

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself.
Press the OK button to close that box and continue.
If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
---------------------------
Be sure to re-enable your AV and malware scan tools if they were disabled

=====================================

:thumbsup:

We Need to check for Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Direct Download (Recommended)
- Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr

Mark

why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 anna22

Member

Group: Members
Posts: 30
Joined: 16-November 09
Gender:Female
Location:California

Posted 19 November 2009 - 05:30 PM

garmanma, thanks for your post. I've been using mbam for a while and have never had any problems. Its gotten rid of some things that superantispyware doesn't notice or notices but doesn't seem to get rid of. My last scan with malwarebytes (done today) did not show any problems.

Here is my report from RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/18 21:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000159
Image Path: \Driver\00000159
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5195000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8C3D000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF294C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\$hf_mig$\{29F8DDC1-9487-49b8-B27E-3E0C3C1298FF}
Status: Locked to the Windows API!

Path: c:\windows\temp\04467d16-03c3-4abe-840d-529504c25b47.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\0603c38a-8c35-41d6-bcae-d980892320f8.tmp
Status: Allocation size mismatch (API: 49152, Raw: 0)

Path: c:\windows\temp\30b4c277-ac3f-4021-a050-e4b1a0fbe2f6.tmp
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\windows\temp\c0ace011-06bf-4696-9cd0-51a417ac8fad.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\e495e388-dc47-482d-b0bd-48465b1f3b5a.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\ea2f14f8-8469-4046-8cb5-bfc5368713a6.tmp
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\windows\temp\6ff69d24-8efd-493b-a082-5b40b2abc49e.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\598b8e2b-1508-4d95-a81f-58c0fbe77c1c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\f2765ff5-31b2-4347-859c-94e730be46c7.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\f74e27b0-c4aa-467e-a00a-91191695220a.tmp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\windows\temp\41eb89cb-e469-4c2b-bb45-ac54f2c6f072.tmp
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\windows\temp\4670f0ab-341a-4591-865e-1cbdbbcd665d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\4b2c1bc9-b9ae-4365-bb68-c72ce6ad6834.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\9b8ceed2-f748-4ad4-b311-757eb7407901.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\windows\temp\9c9aef2e-28c5-400c-9dfd-59c088e5a122.tmp
Status: Allocation size mismatch (API: 0, Raw: 131072)

Path: c:\windows\temp\9d5d54f6-ef16-4b93-87c4-72292b61fba8.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\9f13faad-cd71-480d-b36e-6c5755c9146f.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\cb5538f9-ac1f-418f-88f1-e3fb1ee0c683.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\WINDOWS\temp\72f42fed-5372-4f7c-9a7d-d4c015f721e1.tmp
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf85a2ac8

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf85a2c22

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf85a2f9a

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf85a298e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf8a6a470

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf85a3064

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf85a2efc

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf85a30ec

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf8a6a520

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf8a6a5c0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys" at address 0xf8a6a660

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8339f0e8 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x82f74ca0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x831b5eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x833a02d8 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x833a0848 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82ff50e8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82ff50e8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82ff50e8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82ff50e8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82ff50e8 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82ff50e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82cac1e8 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8311da98 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_READ]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_WRITE]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: Npfsȅఆ䵃慖, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82d580e8 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_CREATE]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_CLOSE]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_READ]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_WRITE]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_SET_INFORMATION]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_CLEANUP]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: , IRP_MJ_SET_SECURITY]
Process: System Address: 0x83142768 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_CREATE]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_CLOSE]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_READ]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_SHUTDOWN]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_CLEANUP]
Process: System Address: 0x830ae0e8 Size: 15

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_PNP]
Process: System Address: 0x830ae0e8 Size: 15

==EOF==

Thanks.

#4 garmanma

Computer Masochist

Group: Staff Emeritus
Posts: 27,809
Joined: 27-January 07
Location:Cleveland, Ohio

Posted 19 November 2009 - 09:42 PM

Object: Hidden Code [Driver: Cdfsȅఄ浗灩MofResource, IRP_MJ_PNP]
Haven't seen this one in awhile

Now that you were successful in creating a Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/topic34773.html

If it won't run, don't worry, just give a brief description and tell them that this log was all you could get to run successfully

Post here:
http://www.bleepingcomputer.com/forums/forum22.html

The HJT team is extremely busy, so be patient and good luck

Mark

#5 anna22

Member

Group: Members
Posts: 30
Joined: 16-November 09
Gender:Female
Location:California

Posted 20 November 2009 - 01:47 AM

garmanma,

I have hjt on my computer, should I run it and post the log in the other thread along with the rootrepeal log?

Thanks for all your advice and help.

#6 garmanma

Computer Masochist

Group: Staff Emeritus
Posts: 27,809
Joined: 27-January 07
Location:Cleveland, Ohio

Posted 20 November 2009 - 07:42 PM

If you cannot run the DDS scan in the instructions then yes you can use what you have

Mark

#7 Orange Blossom

OBleepin Investigator

Group: Moderator
Posts: 29,405
Joined: 14-July 06
Gender:Not Telling
Location:Bloomington, IN

Posted 21 November 2009 - 07:50 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/topic272879.html you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days, up to two weeks perhaps less, to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom
An ounce of prevention is worth a pound of cure
SuperAntiSpyware, SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript