Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh my GOD!! I think im infected with a ROOTKIT. PLS HELP!


  • Please log in to reply
26 replies to this topic

#1 vladmir21

vladmir21

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 June 2009 - 04:45 AM

Hi all,
Its making sense now.
A couple of weeks ago, i tried runing a Hijackthis log just for fun, i have the latest TrendMicro version, and it simply wouldnt run.
I then tried to uninstall it, thinking that it must somehow have been corrupted, so i go into add-remove programs to remove it,
but it just stays there! the icon, that is.
I still didnt think anything of it, and i just let it go.
I thought that was wierd, but i was so buzy with my work and we are in the process of moving to a new home, that i didnt investigate further.

Then, i started to get problems with getting any CD or DVD to burn, i got errors from Nero, CDburnerXP, imgburn, Ashampoo etc.
Nero was telling me "you need admin rights to continue this operation" when i am the admin damnit, this is my computer!

Today, just a half hour before posting this, i tried to install DVD Decrypter.
When i proceeded to open it, ckeck out the error.
Posted Image
I typed that error in, and this is what i found:
http://forum.imgburn.com/lofiversion/index.php/t9862.html

txnhockey
Jun 18 2009, 01:01 AM
Just to let you all know. I was getting the same problem.
Nothing could burn - Nero, CD BurnXP, etc

Ran AVG Rootkit, it found 2 hidden driver files and renamed them on reboot.
Ran Malwarebytes' Anti-Malware 1.38 and it found 26 infect files associated to the SKYNET Trojan.

Every program burns now, no problems.

Thank god ImgBurn actually has a useful console or I never would have known why my drive was not being seen
eSkRo
Jun 18 2009, 01:48 AM
looks like AVG Anti-Rootkit might be a winner!!!
LIGHTNING UK!
Jun 18 2009, 08:02 AM
That's weird too because it dates back to something like 2007!


HMM! i thought, no way, this could be a rootkit?! oh ****.
So, i install Malwarebytes Anti-malware, and guess what, IT DOSENT RUN!!
It is not loading, what am i to do?
i double-click on it, and it just stays there, doing nothing.

Help me experts please!!! :thumbsup:

BC AdBot (Login to Remove)

 


#2 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 June 2009 - 04:51 AM

btw, there is no AVG anti-rootkit download available anymore.
instead of a 460+KB file, it starts downloading the whole AVG software thats like 80MB.

#3 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 June 2009 - 05:17 AM

Oh now whats this?!!!

http://www.bleepingcomputer.com/forums/ind...mber+of+secrets

i was checking out searching the term in google.
A senior member had recommended to him a program called rootrepeal

I installed it and ran a scan for drivers, it found this.
Posted Image

Posted Image

I typed the beginning of that entry gxvxc as it was common to them all, and something about not being able to access gmail came up.
Now i do have a gmail account, but i only use my yahoo account.

well, as it turns out, MY GMAIL ACCOUNT DOSENT WORK ANYMORE.
i simply cannot login, even though i know the correct username and password.

WTF kind of a virus is this??????????????

What should i do in rootrepeal?
It has options to "force delete" etc. but i really dont want to self-medicate, you know what i mean.

#4 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 June 2009 - 05:20 AM

http://www.geekstogo.com/forum/Trojan-Prev...xc-t240772.html

thats exactly like my problem, the same gxvxc thing.
Even he says that suddenly "the burning programs stopped recognizing my DVD-R drive"

but while he can do the scan, i cannot.

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:36 AM

Posted 30 June 2009 - 05:32 AM

http://www.malwarebytes.org/forums/index.php?showtopic=12709

Here's the original guide from back in March, take your time and follow the directions exactly
Chewy

No. Try not. Do... or do not. There is no try.

#6 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 June 2009 - 06:53 AM

thanks for the link, i will check it out.
till now i had booted in safe-mode. i clicked on malwarebytes antimalware, and it laded.
so far so good.
THEN IN THE MIDDLE OF THE SCAN, MY LAPTOP JUST TOTALLY SHUT DOWN.
NOT GOOD AT ALL.
as i restarted, i got the chskdisk thing, it was checking the C: partition for consistency, and then booted normally.

Edited by vladmir21, 30 June 2009 - 06:53 AM.


#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:36 AM

Posted 30 June 2009 - 07:09 AM

You have to disable/wipe the rootkit driver with rootrepeal first
Chewy

No. Try not. Do... or do not. There is no try.

#8 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 30 June 2009 - 10:10 AM

hi DaChew, ok i deleted the entries found by rootrepeal, and the malwarebytes antimalware scanner ran fine.
let me post the log:
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

6/30/2009 7:45:57 PM
mbam-log-2009-06-30 (19-45-57).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 192084
Time elapsed: 32 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\WINDOWS\system32\zeon98.dll (Adware.WinButler) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{8756274c-3440-4c8b-ba88-fb0bd100a071}\RP288\A0066053.rbf (Adware.WinButler) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\zeon98.dll (Adware.WinButler) -> Quarantined and deleted successfully.
c:\documents and settings\user\Local Settings\Temp\VideoTools.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxclnbhwwarhfheqqfyhwefrtqfamcjkxgk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\gxvxcmpqmdymtesffvilkbmvpijrmsgsxmkco.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Now hijackthis can also run successfully!!

please advice me which scanner i should run next, to make sure its dead and gone.

Edited by vladmir21, 30 June 2009 - 10:11 AM.


#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:36 AM

Posted 30 June 2009 - 12:43 PM

Update MBAM and run a quick scan

Also

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Chewy

No. Try not. Do... or do not. There is no try.

#10 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 01 July 2009 - 01:19 AM

MBAM didnt find anything after updating definitions and doing a quick scan.

I havent actually run the ATF cleaner, just set the options.

here is the log of superantispyware, its detected something called
Trojan.Unknown Origin
	HKU\.DEFAULT\Software\ColdWare
	HKU\S-1-5-18\Software\ColdWare

Trojan.Agent/Gen-MSFake
	C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP53.TMP

Here is the full log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2009 at 11:38 AM

Application Version : 4.26.1006

Core Rules Database Version : 3964
Trace Rules Database Version: 1905

Scan type : Complete Scan
Total Scan Time : 00:42:13

Memory items scanned : 211
Memory threats detected : 0
Registry items scanned : 4677
Registry threats detected : 2
File items scanned : 43808
File threats detected : 161

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@5063785319[2].txt
C:\Documents and Settings\user\Cookies\user@scene_flv[1].txt
C:\Documents and Settings\user\Cookies\user@exchange4media[1].txt
C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[2].txt
C:\Documents and Settings\user\Cookies\user@1384282843[2].txt
C:\Documents and Settings\user\Cookies\user@0376844981[2].txt
C:\Documents and Settings\user\Cookies\user@clickpass[2].txt
C:\Documents and Settings\user\Cookies\user@richmedia.yahoo[2].txt
C:\Documents and Settings\user\Cookies\user@ads-dev.youporn[2].txt
C:\Documents and Settings\user\Cookies\user@mhkeehn.tripod[2].txt
C:\Documents and Settings\user\Cookies\user@dngjkolno9g[2].txt
C:\Documents and Settings\user\Cookies\user@kontera[2].txt
C:\Documents and Settings\user\Cookies\user@youporn[1].txt
C:\Documents and Settings\user\Cookies\user@media6degrees[2].txt
C:\Documents and Settings\user\Cookies\user@1331669608[2].txt
C:\Documents and Settings\user\Cookies\user@0gsmw9jmjda[2].txt
C:\Documents and Settings\user\Cookies\user@ero-advertising[1].txt
C:\Documents and Settings\user\Cookies\user@1236659335[2].txt
C:\Documents and Settings\user\Cookies\user@ads1.indiainfo[2].txt
C:\Documents and Settings\user\Cookies\user@fjxx4o1oqlw[2].txt
C:\Documents and Settings\user\Cookies\user@ads.monster[1].txt
C:\Documents and Settings\user\Cookies\user@5243940908[2].txt
C:\Documents and Settings\user\Cookies\user@61xz4prmztz[2].txt
C:\Documents and Settings\user\Cookies\user@webmail.intermedia[2].txt
C:\Documents and Settings\user\Cookies\user@ads.ozonemedia.co[1].txt
C:\Documents and Settings\user\Cookies\user@www.intermedia[2].txt
C:\Documents and Settings\user\Cookies\user@9382965698[2].txt
C:\Documents and Settings\user\Cookies\user@myroitracking[1].txt
C:\Documents and Settings\user\Cookies\user@serving.adsrevenue.clicksor[1].txt
C:\Documents and Settings\user\Cookies\user@delivery[2].txt
C:\Documents and Settings\user\Cookies\user@yadro[2].txt
C:\Documents and Settings\user\Cookies\user@bvztecvxtrg[2].txt
C:\Documents and Settings\user\Cookies\user@7gmqfjibmne[2].txt
C:\Documents and Settings\user\Cookies\user@scene_flv[2].txt
C:\Documents and Settings\user\Cookies\user@djyr2lvqqxo[2].txt
C:\Documents and Settings\user\Cookies\user@2w0uyyswsjv[2].txt
C:\Documents and Settings\user\Cookies\user@socialmedia[1].txt
C:\Documents and Settings\user\Cookies\user@flv[2].txt
C:\Documents and Settings\user\Cookies\user@flv[1].txt
C:\Documents and Settings\user\Cookies\user@532wcadjnbz[2].txt
C:\Documents and Settings\user\Cookies\user@73865167[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.ibibo[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adtech[1].txt
.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
adstats.cdfreaks.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ads-dev.youporn.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.yadro.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.rambler.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.indextools.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.scarleteen.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
joblist.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www6.addfreestats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
adx.bixee.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ads.crakmedia.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ad3.clickhype.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
stat.dealtime.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.vip.clickzs.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.banner.kiev.ua [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
tracker.conspiracycentral.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
tracker.conspiracycentral.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www7.addfreestats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
s03.flagcounter.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.gostats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
count.rbc.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.myxer.adbureau.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.wareznet.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.ads.ozonemedia.co.in [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
s02.flagcounter.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediawebmonster.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
advertisement.netgull.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.stopzilla.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.weborama.fr [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.bravenet.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
audit.median.hu [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
C:\Documents and Settings\user\Cookies\user@accounts[2].txt
C:\Documents and Settings\user\Cookies\user@ccount[1].txt

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare

Trojan.Agent/Gen-MSFake
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP53.TMP



#11 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 01 July 2009 - 06:02 AM

well, Uninstalled Nero, then used the 'nero clean tool'. reinstalled.
did this a couple of times.

UltraISO was using the Nero API, when i uninstalled Nero, UltraISO used its own burning software to successfully burn the PS2 ISO to DVD.

Then after installing Nero again, it seems to be working fine, just burned a data DVD with it.

So, i think this thread can be locked, thanks again DaChew.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:36 AM

Posted 01 July 2009 - 06:04 AM

I havent actually run the ATF cleaner, just set the options.


Malware floods temp files with it's crud, I prefer an aggressive cleaning before scans for several reasons

Post that latest MBAM log
Chewy

No. Try not. Do... or do not. There is no try.

#13 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 01 July 2009 - 06:08 AM

I havent actually run the ATF cleaner, just set the options.


Malware floods temp files with it's crud, I prefer an aggressive cleaning before scans for several reasons

Post that latest MBAM log


Ok i will, i dont want to jump the gun in saying that this topic be locked, lol.
I have to go do some errands, i will post the log in a few hours.
a full scan or quick scan?

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:36 AM

Posted 01 July 2009 - 06:11 AM

MBAM didnt find anything after updating definitions and doing a quick scan.


That log

We have a couple of other loose ends to tie up also
Chewy

No. Try not. Do... or do not. There is no try.

#15 vladmir21

vladmir21
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 01 July 2009 - 07:57 AM

Hi DaChew, before i post that log, i also want to run a couple of things by you.
I came across this article below:
http://www.malwarebytes.org/forums/index.php?showtopic=12709
And in it the OP talks about:

Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.
.........
You will need to identify which is the CLB driver and here's how.

This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.


It will also carry one of the following prefix's in its filename +random letters+ .sys extension.


I suddenly remembered in the RootRepeal scan that i had come across files ending in .sys in red.

I will post the rootrepeal log below, and also show you a screenshot:
I have got them together based on wether they are 'hooked' or not.
Posted Image

Now the process called vsdatant.sys is probably Zonealarm Firewall that i have.

This entry in the log:

Path: C:\AUTORUN.INF\zhengbo.
Status: Locked to the Windows API!

is from an application called UsbDisk Security, its to protect malware from installing autorun.inf files from or to any USB, so its legit.

WHAT I AM WORRIED ABOUT IS THE SPCF.SYS IN RED IN THE PICTURE.

Also, check this out:
Posted Image
It keeps detecting this remnant, but when i try to wipe it, it comes up not found.

Below is the rootrepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/01 18:03
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF45BE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A54000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7354
Image Path: \Driver\PCI_PNP7354
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEB5A6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spcf.sys
Image Path: spcf.sys
Address: 0xF72D0000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\AUTORUN.INF\zhengbo.
Status: Locked to the Windows API!

Path: c:\documents and settings\user\application data\utorrent\resume.dat
Status: Size mismatch (API: 139253, Raw: 139199)

Path: C:\Documents and Settings\user\Application Data\uTorrent\resume.dat.old
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47e93bd

#: 041 Function Name: NtCreateKey
Status: Hooked by "spcf.sys" at address 0xf72d10e0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcf30

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fce60

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spcf.sys" at address 0xf72efca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spcf.sys" at address 0xf72f0032

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcfb0

#: 119 Function Name: NtOpenKey
Status: Hooked by "spcf.sys" at address 0xf72d10c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fc850

#: 160 Function Name: NtQueryKey
Status: Hooked by "spcf.sys" at address 0xf72f010a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spcf.sys" at address 0xf72eff8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fd120

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fd260

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcd80

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x849f11f8 Size: 121

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcrlxbnyltofjwxdpxyvbrfqnsrrirngxn.sys

==EOF==


Thanks for all your help so far!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users