Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected file comes back after deletion


  • Please log in to reply
21 replies to this topic

#1 Goosey

Goosey

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 July 2009 - 12:41 PM

A while back I opened an executable I shouldn't have and it unleashed a stream of malware my way. I received messages from NOD32 and Winpatrol and started blocking and deleting some files. There is still one file however, that won't go away.
This is the message I receive from NOD32, it's the only software that detects anything with this file. I've also tried the bitdefender online scanner, but it doesn't detect an infection with this file.

C:\WINDOWS\system32\drivers\c51a6a477935804.sys Win32/Agent.PUK trojan

When this file is deleted either by NOD32 or manually, it comes back almost instantly. I looked in the dllcache folder, but it's not in there. I tried deleting it in safe mode, but the same thing happens. Deleting on reboot by various tools doesn't work either.

I think my PC is clean apart from this file, but I can't be sure. I'm scanning my Windows directory everyday now and it's only been detecting this one file. I do occasionally get threat messages from the IMON scanner in NOD32. The first one a couple of days ago and the second one today (not sure if posting it like this is ok?).

http:// 212.117.174.14/svchost.exe een variant van Win32/Kryptik.QW trojan

http:// 212.117.174.14/svchost1.exe een variant van Win32/Kryptik.QW trojan

They seem to come for every 5 minutes for awhile and then they stop.

Another thing that happened is that IE8 has been acting strange from the moment these infections started: things like going to a blank page in the middle of loading a page and it wanted to download a zip file instead of an nzb file on an nzb site. Have been using Firefox and Safari now, they don't have these problems.

Lastly, I'm experiencing hang ups in Windows live messenger en Windows live mail, that I didn't get before. When opening live mail or when opening certain e-mails it hangs and has to be forced to quit.

I've tried to be as detailed as possible, but maybe some of these things are not related to each other.

I'm using Windows XP SP3. Appreciate any help

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 25 July 2009 - 12:52 PM

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.
Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 July 2009 - 01:35 PM

Here is the MBAM log (before reboot):

Malwarebytes' Anti-Malware 1.39
Database version: 2500
Windows 5.1.2600 Service Pack 3

07/25/2009 8:31:02 PM
mbam-log-2009-07-25 (20-31-02).txt

Scan type: Quick Scan
Objects scanned: 124868
Time elapsed: 7 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 12
Registry Data Items Infected: 1
Folders Infected: 9
Files Infected: 88

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruiqckxpxqu.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{386a771c-e96a-421f-8ba7-32f1b706892f} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7c559105-9ecf-42b8-b3f7-832e75edd959} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{efb22865-f3bc-4309-adfa-c8e078a7f762} (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{deceaaa2-370a-49bb-9362-68c3a58ddc62} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-0000-0000-0000-000020040000} (Trojan.Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware cease_is1 (Rogue.SpywareCease) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RkHit (Rogue.SpywareCease) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\msncache (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Golden Palace Casino PT (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Spyware Cease (Rogue.SpywareCease) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywarecease.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Spyware Cease (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\RepairBackup (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\repairbackup\del (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\update (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\UpdateVulnerability (Rogue.SpywareCease) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Menu Start\Programma's\Spyware Cease (Rogue.SpywareCease) -> Quarantined and deleted successfully.
C:\Program Files\%windir% (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\%windir%\system32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\system32\hjgruiqckxpxqu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\program files\spyware cease\AutoUpdate.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\bmgac (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\DefendLog.txt (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\dxddd (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\hrdb.hrl (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\idamx (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\iflee (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\LoadSWB.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\ls.dat (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\LSR.lsr (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\md5.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\mtools.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\networkdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\opfile.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\rgp.tmp (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\RkHitApi.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\SFL.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\spkdll.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\SpywareCease.chm (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\SpywareCease.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\SpywareCease.url (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\unins000.dat (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\unins000.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\ussafe.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\vf (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\xxcum (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\zlib1.dll (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\repairbackup\del.txt (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\repairbackup\removestartup.dat (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\repairbackup\startup.dat (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb0.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb1.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb10.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb11.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb12.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb13.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb14.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb15.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb16.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb17.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb18.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb19.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb2.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb20.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb21.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb22.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb23.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb24.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb25.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb26.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb27.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb28.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb29.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb3.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb30.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb31.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb32.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb33.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb34.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb35.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb36.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb4.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb5.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb6.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb7.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb8.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swb9.ssc (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\swb\swinx.inx (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\update\SpywareCease_Setup.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\update\Update.ini (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\update\uplist.up (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\StepByStepInteractiveTraining-KB923723-x86-ENU.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\WindowsXP-KB923689-v2-x86-ENU.EXE (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\WindowsXP-KB950582-x86-ENU.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\WindowsXP-KB953155-x86-ENU.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\WindowsXP-KB955704-x86-ENU.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\WindowsXP-KB956390-x86-ENU.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\spyware cease\updatevulnerability\WindowsXP-KB959252-v2-x86-ENU.exe (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\documents and settings\all users\menu start\programma's\spyware cease\Spyware Cease on the Web.lnk (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\documents and settings\all users\menu start\programma's\spyware cease\Spyware Cease.lnk (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\documents and settings\all users\menu start\programma's\spyware cease\Uninstall Spyware Cease.lnk (Rogue.SpywareCease) -> Quarantined and deleted successfully.
c:\program files\%windir%\system32\comsa32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\program files\%windir%\system32\tpsaxyd.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

I doubt spyware cease is really malware, but deleted it anyway.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 25 July 2009 - 01:41 PM

Hi, we did find some serious malware. SpywareCease is a misleading application that may give exaggerated reports of threats on the computer. So we do not trust it.
I want you to read this about the TDDS and back door Bots found.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


If you dedcide to continue to clean then this is next.
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Edited by boopme, 25 July 2009 - 01:44 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 July 2009 - 04:16 PM

I'm scanning with superantispyware for 2 hours already, at this pace it's looking like it'll take more than 12 hours though. Is it possible to stop the scanning once it's finished with the C drive? I've got another 250gb hard drive with nothing but movies/music/games. Don't know if it's worth it to scan this one too.

I've changed important passwords on my iphone using the same wireless network my computer is on. I assume this is safe?

Edited by Goosey, 25 July 2009 - 04:17 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 25 July 2009 - 06:58 PM

Yes you can stop it.

Also run part 1 of S!Ri's SmitfraudFix this will be quick.

Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 25 July 2009 - 11:11 PM

Ok here's the superantispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/26/2009 at 05:47 AM

Application Version : 4.26.1006

Core Rules Database Version : 4019
Trace Rules Database Version: 1959

Scan type : Complete Scan
Total Scan Time : 08:36:24

Memory items scanned : 248
Memory threats detected : 0
Registry items scanned : 8505
Registry threats detected : 58
File items scanned : 267794
File threats detected : 6

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID\{5c4f2cbc-f32d-4a03-9812-86f39379811b}
HKCR\CLSID\{5C4F2CBC-F32D-4A03-9812-86F39379811B}
HKCR\CLSID\{5C4F2CBC-F32D-4A03-9812-86F39379811B}\InProcServer32
HKCR\CLSID\{5C4F2CBC-F32D-4A03-9812-86F39379811B}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\OKSRQQU.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{5c4f2cbc-f32d-4a03-9812-86f39379811b}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#breadthes

Adware.F1 Organizer
HKU\S-1-5-21-2375836487-89407270-2550188437-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000EF1-0786-4633-87C6-1AA7A44296DA}

Trojan.Media-Codec
HKU\S-1-5-21-2375836487-89407270-2550188437-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{84938242-5C5B-4A55-B6B9-A1507543B418}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run#none

Trojan.Agent/Gen
HKLM\System\ControlSet001\Services\c51a6a477935804
C:\WINDOWS\SYSTEM32\DRIVERS\C51A6A477935804.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_c51a6a477935804
HKLM\System\ControlSet003\Services\c51a6a477935804
HKLM\System\ControlSet003\Enum\Root\LEGACY_c51a6a477935804
HKLM\System\CurrentControlSet\Services\c51a6a477935804
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_c51a6a477935804

Adware.Casino Games (Golden Palace Casino)
HKLM\Software\Golden Palace Casino PT
HKLM\Software\Golden Palace Casino PT#uninstall
HKLM\Software\Golden Palace Casino PT#account
HKLM\Software\Golden Palace Casino PT#advertisercode
HKLM\Software\Golden Palace Casino PT#banner
HKLM\Software\Golden Palace Casino PT#createdrealaccount
HKLM\Software\Golden Palace Casino PT#creferer
HKLM\Software\Golden Palace Casino PT#homedir
HKLM\Software\Golden Palace Casino PT#profile
HKLM\Software\Golden Palace Casino PT#referer
HKLM\Software\Golden Palace Casino PT#safemode
HKLM\Software\Golden Palace Casino PT#uninstall_lang
C:\GAMES\CASINO'S\GOLDEN PALACE CASINO\CASINO.EXE
C:\GAMES\CASINO'S\TONY G POKER\CASINO.EXE
C:\PROGRAM FILES\INTERCASINO $$$\CASINO.EXE
C:\PROGRAM FILES\INTERCASINO DEUTSCHLAND\CASINO.EXE

Unclassified.Oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc

Trojan.Agent/Gen-SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SOPIDKC\0000#DeviceDesc

Trojan.Agent/Gen-AlerterALG
HKU\.DEFAULT\Software\S45
HKU\S-1-5-18\Software\S45

Trojan.Agent/Gen-MSNCache
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSNCACHE\0000#DeviceDesc

Trojan.Hugipon
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters
HKLM\System\CURRENTCONTROLSET\SERVICES\6TO4\Parameters#ServiceDll


And here's the Smitfraudfix report:


SmitFraudFix v2.423

Scan done at 6:02:25.76, 07/26/2009
Run from C:\Documents and Settings\Eigenaar\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process


hosts


C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Eigenaar


C:\DOCUME~1\Eigenaar\LOCALS~1\Temp


C:\Documents and Settings\Eigenaar\Application Data


Start Menu





Desktop


C:\Program Files


Corrupted keys


Desktop Components



o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""




DNS



Scanning for wininet.dll infection


End

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 26 July 2009 - 12:18 PM

Ok looks like the smitfraud is gone and an awful lot of other junk. Does NOD still see thatfile? How's it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 July 2009 - 12:40 PM

The file was gone so NOD's not finding it anymore. The hang ups in live mail are gone now as well. When I opened IE I got a message about the security settings being too low, so changed it back to normal. Everything seems to be running fine now.

Any other software I could scan with to be sure everything's gone? I find it a little disturbing that the programs I scanned with, like NOD, windows defender, spyware cease and bitdefender, didn't find most of this stuff that's been causing all this. Do you recommend something else besides the programs you had me download?

Edited by Goosey, 26 July 2009 - 12:44 PM.


#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 26 July 2009 - 12:55 PM

Ok, this is looking good . Run DrWeb,if you would like.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Edited by boopme, 26 July 2009 - 12:56 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 July 2009 - 01:34 PM

Ok I get an error in Cureit after clicking OK to start the scan in the virus check window. I get the standard prompt about sending a rapport to Microsoft (y46za.exe), so I can't do any scanning.

#12 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 July 2009 - 02:08 PM

Did another scan with MBAM instead and it found 2 infections, I think these are the same as before:

Malwarebytes' Anti-Malware 1.39
Database version: 2500
Windows 5.1.2600 Service Pack 3

07/26/2009 9:00:02 PM
mbam-log-2009-07-26 (21-00-02).txt

Scan type: Quick Scan
Objects scanned: 122365
Time elapsed: 12 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruiqckxpxqu.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruiqckxpxqu.dll (Trojan.TDSS) -> Quarantined and deleted successfully.



I can't see this file in the windows/system32 directory however.

Edit: It seems like this one isn't deleted, it shows up again now.

Edited by Goosey, 26 July 2009 - 02:19 PM.


#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 26 July 2009 - 02:55 PM

Looks like a rootkit. Ijstall then disconnect from the intenet and run.
Next Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
Not this >>> SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 Goosey

Goosey
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:43 AM

Posted 26 July 2009 - 03:31 PM

Here's the RootRepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/26 22:03
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF776C000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE3EA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7DA3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruiabwkntlv.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruiabwkntlv.sys
Address: 0xAE78E000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: otwhm.sys
Image Path: C:\WINDOWS\system32\drivers\otwhm.sys
Address: 0xF6EBC000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA59C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruimthqvmvj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiqckxpxqu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruivqumslkp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiylqaeihc.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiepyyxioonk.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruiyqxkbnmdtp.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiabwkntlv.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\PostgreSQL\8.3\data\global\pgstat.stat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Microsoft\Messenger\xxx@hotmail.com\SharingMetadata\xxx@hotmail.com\DFSR\Staging\CS{A8614864-5ED1-4E55-18FD-64FF622D7F18}\01\267-{A8614864-5ED1-4E55-18FD-64FF622D7F18}-v1-{10DC30F0-BF01-44E3-BFCE-4F9977C5BBDF}-v267-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Eigenaar\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1265E0CF\Native\STUBEXE\@WINDIR@\Microsoft.NET\Framework\v2.0.50727\csc.exe:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruivqumslkp.dll]
Process: svchost.exe (PID: 1268) Address: 0x008e0000 Address: 57344

Object: Hidden Module [Name: hjgruiepyyxioonk.tmpll]
Process: svchost.exe (PID: 1268) Address: 0x10000000 Address: 28672

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86fc7780 Address: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8699deb0 Address: 11

Object: Hidden Code [Driver: sys, IRP_MJ_READ]
Process: System Address: 0x86962b18 Address: 11

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x86ad3f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86ad9f00 Address: 99

Object: Hidden Code [Driver: prodrv06ࠅᰍⱨ蚚ወ耆耆ʵ, IRP_MJ_CREATE]
Process: System Address: 0xe18b4c30 Address: 976

Object: Hidden Code [Driver: prodrv06ࠅᰍⱨ蚚ወ耆耆ʵ, IRP_MJ_CLOSE]
Process: System Address: 0xe18b4c30 Address: 976

Object: Hidden Code [Driver: prodrv06ࠅᰍⱨ蚚ወ耆耆ʵ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe18b4c30 Address: 976

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System Address: 0x86aa6b58 Address: 99

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe1011300 Address: 141

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe1011300 Address: 141

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1011300 Address: 141

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x86a09ac0 Address: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x86246e98 Address: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86a8bd38 Address: 11

Object: Hidden Code [Driver: Npfs؅扏煓؁అ瑎獆ᐸ, IRP_MJ_READ]
Process: System Address: 0x86a73f20 Address: 11

Object: Hidden Code [Driver: Msfsࠅఊ偶瑲, IRP_MJ_READ]
Process: System Address: 0x86cb9f30 Address: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x86a90ab0 Address: 11

Object: Hidden Code [Driver: CdfsЅఐ卆浩, IRP_MJ_READ]
Process: System Address: 0x8691dfb0 Address: 11

==EOF==



There are about a dozen more entries of the one where I blocked out the e-mail adresses. Just let me know if those are important.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,195 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:43 PM

Posted 26 July 2009 - 03:41 PM

Hi actually I think I will stop asking for that section in the future as it doesn't seem to produce kits and I don't have to remove all those addy's.

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\WINDOWS\system32\hjgruiqckxpxqu.dll
C:\WINDOWS\system32\hjgruivqumslkp.dll
C:\WINDOWS\system32\drivers\hjgruiabwkntlv.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.



Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

How is it running now?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users