Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with MSIVXcount


  • Please log in to reply
5 replies to this topic

#1 MSIVX

MSIVX

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 21 June 2009 - 02:19 PM

It's story time kids :thumbsup:

Yesterday i was browsing on the web and then My computer freezes for the first time ever, so i restart it and i notice the Norton icon is not appearing in the task bar. I try to find out whats going on eventually i find out how to re install Norton Antivirus 2009. With some trouble, because i notice that my browser(internet explorer 8) is redirecting me to bogus links and not connecting at all when i go to alot of the security websites. After i install norton 2009 i restart and everything seems normal, norton icon is back on task bar but the thing is, its not actually working. Norton shuts down after 10 minutes the advanced protection shuts down and i cant fix it. I realize my computer is infected and i read some guides online for people that had similar problems and i install Malwarebyte anti-malware(which i had to rename the .exe's for it to start." i do a full system scan it finds 12 security risks I delete all of them but one remaning in C:\WINDOWS\system32\MSIVXcount and it sais i have to restart computer to get rid of it but after i restart its still there. So my question is how do i remove this?

symptoms:
-When i try to do system restore when i press next to begin the restoration nothing happens.
-Problems connecting to many security sites.
-cant run anti-malwar programs unless i rename the .exe which starts it.
-computer froze a few times more after i got infected.

Help me remove this please.

Edited by MSIVX, 21 June 2009 - 02:23 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:55 PM

Posted 21 June 2009 - 02:30 PM

Hello and welcome.
Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MSIVX

MSIVX
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 21 June 2009 - 02:45 PM

ROOTREPEAL (c) AD, 2007-2009

==================================================

Scan Time:			2008/12/31 15:40

Program Version:		Version 1.3.0.0

Windows Version:		Windows XP SP3

==================================================



Drivers

-------------------

Name: 00000047

Image Path: \Driver\00000047

Address: 0x00000000	Size: 0	File Visible: No	Signed: -

Status: -



Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xB5EB5000	Size: 98304	File Visible: No	Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBADF4000	Size: 8192	File Visible: No	Signed: -

Status: -



Name: MSIVXwtrjfnhcnufhmcmelsxkbkumkrqpekka.sys

Image Path: C:\WINDOWS\system32\drivers\MSIVXwtrjfnhcnufhmcmelsxkbkumkrqpekka.sys

Address: 0xB6322000	Size: 184320	File Visible: -	Signed: -

Status: Hidden from Windows API!



Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xB4BB4000	Size: 49152	File Visible: No	Signed: -

Status: -



Name: SYMEFA.SYS

Image Path: SYMEFA.SYS

Address: 0xBA5A1000	Size: 323584	File Visible: No	Signed: -

Status: -



Name: ygkwoe.sys

Image Path: ygkwoe.sys

Address: 0xBA8A8000	Size: 61440	File Visible: No	Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: C:\Avenger\MSIVXcount

Status: Invisible to the Windows API!



Path: C:\Avenger\MSIVXcount-ren-145

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\MSIVXcount

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\MSIVXkdpqlwewvpvcadaxtkaatlvbukstnruw.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\MSIVXobptwjfeburjrtmlxmdirgbwytbjllns.dll

Status: Invisible to the Windows API!



Path: C:\WINDOWS\system32\drivers\MSIVXwtrjfnhcnufhmcmelsxkbkumkrqpekka.sys

Status: Invisible to the Windows API!



Path: c:\documents and settings\administrator\local settings\temp\etilqs_gqrrf17m7g8hzkos3mek

Status: Allocation size mismatch (API: 32768, Raw: 0)



Path: c:\documents and settings\administrator\local settings\application data\mozilla\firefox\profiles\4pyjityf.default\cache\_cache_map_

Status: Allocation size mismatch (API: 280, Raw: 0)



SSDT

-------------------

#: 031	Function Name: NtConnectPort

Status: Hooked by "<unknown>" at address 0x89cad498



#: 041	Function Name: NtCreateKey

Status: Hooked by "sptd.sys" at address 0xba6dbc04



#: 053	Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0x898a8130



#: 071	Function Name: NtEnumerateKey

Status: Hooked by "sptd.sys" at address 0xba6dbd48



#: 073	Function Name: NtEnumerateValueKey

Status: Hooked by "sptd.sys" at address 0xba6dc0c0



#: 097	Function Name: NtLoadDriver

Status: Hooked by "<unknown>" at address 0x89c8c8e8



#: 119	Function Name: NtOpenKey

Status: Hooked by "sptd.sys" at address 0xba6dbae2



#: 160	Function Name: NtQueryKey

Status: Hooked by "sptd.sys" at address 0xba6dc18a



#: 177	Function Name: NtQueryValueKey

Status: Hooked by "sptd.sys" at address 0xba6dc022



#: 206	Function Name: NtResumeThread

Status: Hooked by "<unknown>" at address 0x89ad4db8



#: 247	Function Name: NtSetValueKey

Status: Hooked by "sptd.sys" at address 0xba6dc212



Stealth Objects

-------------------

Object: Hidden Module [Name: MSIVXkdpqlwewvpvcadaxtkaatlvbukstnruw.dll]

Process: svchost.exe (PID: 1384)	Address: 0x10000000	Size: 61440



Object: Hidden Module [Name: MSIVXobptwjfeburjrtmlxmdirgbwytbjllns.dll]

Process: firefox.exe (PID: 4080)	Address: 0x10000000	Size: 241664



Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System	Address: 0x89e4feb0	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_READ]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]

Process: System	Address: 0x89e4f0e8	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System	Address: 0x89bbede0	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System	Address: 0x89e01748	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System	Address: 0x89e01a00	Size: 15



Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System	Address: 0x89a8eae0	Size: 15



Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System	Address: 0x89a8eae0	Size: 15



Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89a8eae0	Size: 15



Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89a8eae0	Size: 15



Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System	Address: 0x89a8eae0	Size: 15



Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System	Address: 0x89a8eae0	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]

Process: System	Address: 0x898c90e8	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System	Address: 0x89b18978	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_CREATE]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_CREATE_NAMED_PIPE]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_CLOSE]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_READ]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_WRITE]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_CLEANUP]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_QUERY_SECURITY]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Npfsȅ䵆湦ﭘȂఄ䵃‷ᖈ㧈, IRP_MJ_SET_SECURITY]

Process: System	Address: 0x89acc400	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_CREATE]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_CLOSE]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_READ]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_WRITE]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_CLEANUP]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_CREATE_MAILSLOT]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_QUERY_SECURITY]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Msfsȅఆ剒敬矠, IRP_MJ_SET_SECURITY]

Process: System	Address: 0x89b090e8	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_CREATE]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_CLOSE]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_READ]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_LOCK_CONTROL]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_CLEANUP]

Process: System	Address: 0x898bf830	Size: 15



Object: Hidden Code [Driver: Cdfsࠅఞ奓䅓, IRP_MJ_PNP]

Process: System	Address: 0x898bf830	Size: 15



Hidden Services

-------------------

Service Name: MSIVXserv.sys

Image Path: C:\WINDOWS\system32\drivers\MSIVXwtrjfnhcnufhmcmelsxkbkumkrqpekka.sys



==EOF==


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:55 PM

Posted 21 June 2009 - 03:08 PM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\Avenger\MSIVXcount
C:\Avenger\MSIVXcount-ren-145
C:\WINDOWS\system32\MSIVXcount
C:\WINDOWS\system32\MSIVXkdpqlwewvpvcadaxtkaatlvbukstnruw.dll
C:\WINDOWS\system32\MSIVXobptwjfeburjrtmlxmdirgbwytbjllns.dll
C:\WINDOWS\system32\drivers\MSIVXwtrjfnhcnufhmcmelsxkbkumkrqpekka.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MSIVX

MSIVX
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 21 June 2009 - 03:27 PM

Thank you, the problem is fixed. I used RootRepeal and wiped those files like you said.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:55 PM

Posted 21 June 2009 - 03:46 PM

Mbam was clean too??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users