Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent


  • Please log in to reply
9 replies to this topic

#1 iTrac

iTrac

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 02 July 2009 - 03:37 PM

it seems like i always get pop ups when i'm surfing the web. it happened a couple days ago when my cousin accidently installed somekind of file. i cant seem to run any anti-virus or spyware afterward. i managed to get around that and ran MBAM. after deleting everything possible, i still end up with this trojan.agent time after times even though it says delete after reboot, its still there. heres my log of MBAM

Malwarebytes' Anti-Malware 1.38
Database version: 2348
Windows 5.1.2600 Service Pack 2

7/2/2009 01:29:48 PM
mbam-log-2009-07-02 (13-29-48).txt

Scan type: Quick Scan
Objects scanned: 114241
Time elapsed: 14 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
---------------------------------------------------------------------------------------------------------------------
THIS IS MY ROOTREPEAL report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/02 13:41
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA908000 Size: 53248 File Visible: - Signed: -
Status: -

Name: a05r0w64.SYS
Image Path: C:\WINDOWS\System32\Drivers\a05r0w64.SYS
Address: 0xB9276000 Size: 225280 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA661000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2062976 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB698F000 Size: 138368 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA619000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAF6D000 Size: 3072 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xBA968000 Size: 65536 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBAE24000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB9C73000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBA948000 Size: 62592 File Visible: - Signed: -
Status: -

Name: cercsr6.sys
Image Path: cercsr6.sys
Address: 0xBAB38000 Size: 29120 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA8E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA8D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBAAA8000 Size: 61440 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB67CC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE4A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB6954000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAF9E000 Size: 4096 File Visible: - Signed: -
Status: -

Name: eamon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0xB56FE000 Size: 315392 File Visible: - Signed: -
Status: -

Name: easdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\easdrv.sys
Address: 0xB9CF3000 Size: 45056 File Visible: - Signed: -
Status: -

Name: epfwtdir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Address: 0xBAAE8000 Size: 49152 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAB18000 Size: 34944 File Visible: - Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xBA5F9000 Size: 128896 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBAE22000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA631000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806CF000 Size: 131968 File Visible: - Signed: -
Status: -

Name: hamachi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hamachi.sys
Address: 0xBABE8000 Size: 18560 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB92AD000 Size: 155648 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xB9C83000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBAC18000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA481000 Size: 9600 File Visible: - Signed: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xB92D3000 Size: 680704 File Visible: - Signed: -
Status: -

Name: HSF_DP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xB937A000 Size: 1042432 File Visible: - Signed: -
Status: -

Name: HSFHWBS2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Address: 0xB9479000 Size: 212224 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB48B8000 Size: 262784 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBA938000 Size: 41856 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB68AC000 Size: 134912 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB6A31000 Size: 74752 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 35840 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBABF0000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xBA062000 Size: 14848 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB3FA8000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB94AD000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA5AD000 Size: 92032 File Visible: - Signed: -
Status: -

Name: LVPr2Mon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
Address: 0xBABA8000 Size: 18944 File Visible: - Signed: -
Status: -

Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xBAC10000 Size: 32768 File Visible: - Signed: -
Status: -

Name: mcdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mcdbus.sys
Address: 0xB9236000 Size: 96256 File Visible: - Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBAF39000 Size: 2560 File Visible: No Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB5843000 Size: 9920 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBAE28000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBACB0000 Size: 30080 File Visible: - Signed: -
Status: -

Name: MODEMCSA.sys
Image Path: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xBA04E000 Size: 16128 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBABF8000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBA47D000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8B8000 Size: 42240 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB5863000 Size: 179584 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB68CD000 Size: 453120 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBAC28000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA9F8000 Size: 35072 File Visible: - Signed: -
Status: -

Name: MSIVXidjkrkpbdishriqhjfmdpfrfqnredvvr.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXidjkrkpbdishriqhjfmdpfrfqnredvvr.sys
Address: 0xB6A56000 Size: 188416 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA48D000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA4C5000 Size: 107904 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xBA4E0000 Size: 182912 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA49D000 Size: 9600 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB5D40000 Size: 12928 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB925F000 Size: 91776 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBAA68000 Size: 38016 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBAAF8000 Size: 34560 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB69B1000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBAC30000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA50D000 Size: 574464 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2062976 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAF16000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D5000 Size: 6062080 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB9689000 Size: 6133856 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA8F8000 Size: 61056 File Visible: - Signed: -
Status: -

Name: oreans32.sys
Image Path: C:\WINDOWS\system32\drivers\oreans32.sys
Address: 0xBAB08000 Size: 33824 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB30000 Size: 18688 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA650000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_PNP1640
Image Path: \Driver\PCI_PNP1640
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB28000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PCTCore.sys
Image Path: PCTCore.sys
Address: 0xBA5C4000 Size: 143360 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2062976 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB6AD1000 Size: 139264 File Visible: - Signed: -
Status: -

Name: processr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys
Address: 0xB9C63000 Size: 35328 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB924E000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBABD8000 Size: 17792 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBAD44000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA9C8000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA9D8000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA9E8000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBABE0000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2062976 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB6964000 Size: 174592 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBAE2A000 Size: 4224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBA958000 Size: 57472 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB556C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xBA68F000 Size: 98304 File Visible: - Signed: -
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\secdrv.sys
Address: 0xB55E0000 Size: 10112 File Visible: - Signed: -
Status: -

Name: SKYNETnticxgob.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETnticxgob.sys
Address: 0xB6A44000 Size: 73728 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: spju.sys
Image Path: spju.sys
Address: 0xBA6A7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA5E7000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB560C000 Size: 333184 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB6AF3000 Size: 1122560 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADF0000 Size: 4352 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB681C000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB69D9000 Size: 360064 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBABD0000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBAA08000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xB53C4000 Size: 97280 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9202000 Size: 209408 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBAE16000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBACA8000 Size: 26624 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBAA78000 Size: 57600 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBACA0000 Size: 17024 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB9652000 Size: 143360 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBAC20000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9675000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA8C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBAA48000 Size: 34560 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBAC68000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
Address: 0xB9186000 Size: 507904 File Visible: - Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS
Address: 0xBAA28000 Size: 53248 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB5AE3000 Size: 82944 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2062976 File Visible: - Signed: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xBA59A000 Size: 77696 File Visible: - Signed: -
Status: -

Name: zumbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\zumbus.sys
Address: 0xBAA18000 Size: 40832 File Visible: - Signed: -
Status: -



for somereason i can not do any system restore or run Spybot S&D. can somone please help me remove that? THX

Edited by iTrac, 02 July 2009 - 03:42 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:45 AM

Posted 02 July 2009 - 04:12 PM

Hello,let's do these and see how it's running.

Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode


Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 iTrac

iTrac
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 02 July 2009 - 05:43 PM

Heres the new log

Malwarebytes' Anti-Malware 1.38
Database version: 2365
Windows 5.1.2600 Service Pack 2

7/2/2009 03:42:32 PM
mbam-log-2009-07-02 (15-42-32).txt

Scan type: Quick Scan
Objects scanned: 115151
Time elapsed: 22 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

#4 iTrac

iTrac
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 02 July 2009 - 05:55 PM

i cannot open SUPERAntiSpyware. whenever i try to open it, it has the "send and dont send" window

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:45 AM

Posted 02 July 2009 - 06:25 PM

Ok,,, I think we can get aroun this with ROOTREPEAL

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 iTrac

iTrac
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 02 July 2009 - 06:46 PM

i tried to rescan with MBAM and i got more trojans heres the log

Malwarebytes' Anti-Malware 1.38
Database version: 2365
Windows 5.1.2600 Service Pack 2

7/2/2009 04:43:28 PM
mbam-log-2009-07-02 (16-43-28).txt

Scan type: Quick Scan
Objects scanned: 114808
Time elapsed: 18 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 8
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb5582 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd8328 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga2075 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc8912 (Trojan.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingb8799 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingd4622 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletinga9667 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\spybotdeletingc6316 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\SKYNETnticxgob.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Edited by iTrac, 02 July 2009 - 06:51 PM.


#7 iTrac

iTrac
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 02 July 2009 - 06:58 PM

heres my RootRepeal Report
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/02 16:46
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB64FF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADD0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xBAF53000 Size: 2560 File Visible: No Signed: -
Status: -

Name: MSIVXidjkrkpbdishriqhjfmdpfrfqnredvvr.sys
Image Path: C:\WINDOWS\system32\drivers\MSIVXidjkrkpbdishriqhjfmdpfrfqnredvvr.sys
Address: 0xB6789000 Size: 188416 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: PCI_PNP9240
Image Path: \Driver\PCI_PNP9240
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB52FD000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SKYNETnticxgob.sys
Image Path: C:\WINDOWS\system32\drivers\SKYNETnticxgob.sys
Address: 0xB6777000 Size: 73728 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spwq.sys
Image Path: spwq.sys
Address: 0xBA6A7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: wegqzufk.sys
Image Path: C:\WINDOWS\system32\drivers\wegqzufk.sys
Address: 0xB653F000 Size: 61440 File Visible: No Signed: -
Status: -

Name: xrqi.sys
Image Path: C:\WINDOWS\system32\drivers\xrqi.sys
Address: 0xB9C87000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\NamelessRO Eclipse
Status: Locked to the Windows API!

Path: C:\Config.Msi\a38db4.rbs
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\Installer\MSIB89.tmp
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\Installer\MSIB7E.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\MSIVXcount
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXkjrhyyjwyhiglfagjocshdpbeebiaoqq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\MSIVXskmnlfcfhpotcbdwahhnursdgngqxmie.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\HxB8B.tmp
Status: Could not get file information (Error 0xc0000008)

Path: C:\Program Files\Microsoft Office\Office12\MSWORD.OLB
Status: Could not get file information (Error 0xc0000008)

Path: C:\WINDOWS\system32\drivers\SKYNETnticxgob.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\MSIVXidjkrkpbdishriqhjfmdpfrfqnredvvr.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Microsoft Help\Rgstrtn.lck
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\All Users\Application Data\Microsoft Help\{90120000-0030-0000-0000-0000000FF1CE}
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner\Start Menu\Programs\NamelessRO Eclipse
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\My Documents\My Videos\DivX Movies\video-stage6-com_the party at the end of the earth (working sound
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109030000000000000000F01FEC\12.0.6425
Status: Could not get file information (Error 0xc0000008)

Path: C:\Program Files\GamersFirst\War Rock\maps\Artifact\ObjectLightMap\SkynetCtrl_mujun_2451_3375.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Artifact\ObjectLightMap\SkynetCtrl_note_01_2416_3299.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Artifact\ObjectLightMap\SkynetCtrl_note_01_2979_3154.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Artifact\ObjectLightMap\SkynetCtrl_note_02_2404_3342.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Artifact\ObjectLightMap\SkynetCtrl_note_02_2406_3345.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Decay\ObjectLightMap\SkynetCtrl_mujun_2643_3478.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Decay\ObjectLightMap\SkynetCtrl_mujun_3683_3022.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Decay\ObjectLightMap\SkynetCtrl_note_01_2672_3544.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Decay\ObjectLightMap\SkynetCtrl_note_01_3675_2930.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Decay\ObjectLightMap\SkynetCtrl_note_02_3677_2929.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\Decay\ObjectLightMap\SkynetCtrl_note_02_3678_2931.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\XMarien\ObjectLightMap\SkynetCtrl_note_01_2691_3481.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\XMarien\ObjectLightMap\SkynetCtrl_note_01_3691_2471.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\XMarien\ObjectLightMap\SkynetCtrl_note_02_2676_3504.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\XMarien\ObjectLightMap\SkynetCtrl_note_02_2676_3506.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\XMarien\ObjectLightMap\SkynetCtrl_note_02_3705_2519.dds
Status: Invisible to the Windows API!

Path: C:\Program Files\GamersFirst\War Rock\maps\XMarien\ObjectLightMap\SkynetCtrl_note_02_3705_2521.dds
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\qfavi4if.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Stealth Objects
-------------------
Object: Hidden Module [Name: MSIVXskmnlfcfhpotcbdwahhnursdgngqxmie.dll]
Process: svchost.exe (PID: 960) Address: 0x10000000 Size: 57344

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a1051f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8a1721f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89cb91f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89cd3500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x89dc01f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a1071f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89b01500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89b01500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b01500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b01500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89b01500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89b01500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_CREATE]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_CLOSE]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_POWER]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: aui9b319Ѕ䍐䍔Ёం浍瑓䗯, IRP_MJ_PNP]
Process: System Address: 0x89b54500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x899f3500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_READ]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x89ab6500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఅ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x89ab6500 Size: 121

Hidden Services
-------------------
Service Name: kungsftgnebumq
Image Path: C:\WINDOWS\system32\drivers\kungsffflatura.sys

Service Name: MSIVXserv.sys
Image Path:

Service Name: SKYNETmirpuycy
Image Path: C:\WINDOWS\system32\drivers\SKYNETnticxgob.sys

==EOF==

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:45 AM

Posted 02 July 2009 - 06:58 PM

Ok,this was good...
Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\drivers\MSIVXidjkrkpbdishriqhjfmdpfrfqnredvvr.sys

C:\WINDOWS\system32\drivers\SKYNETnticxgob.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Now see if Super will run and post that log.


Next run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 iTrac

iTrac
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:45 AM

Posted 02 July 2009 - 10:41 PM

thanks for the help i owe you bigtime. i just finished scanning with MBAM and nothing was detected and there's no more pop ups
THANKS!!!!!!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:45 AM

Posted 03 July 2009 - 08:28 PM

Ok this is good but the nature of this malware can be elsewhere,so please run Smitfraud,thanks.

PS,
I'd also spend the hoiur for SAS.. It's not something you want to leave traces to grow in the PC.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users