Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Small.NEK\ Trojan.Agent/Gen-Backdoor \ System Security?


  • This topic is locked This topic is locked
17 replies to this topic

#1 maged918

maged918

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 06 August 2009 - 10:21 PM

So I turned off my windows firewall for a few days, only to disocver that my IMON in NOD32 was shut down too.. So as you can guess, my computer was infected with all sorts of malware, here is a list of stuff that I know are/were on my computer..

1) System Security 2009: It messed up my computer, neither malware bytes nor spyware doctor would work, even in safe mode.. They'd install normally but they wouldn't run when opened/ wouldn't carry out a search.. I think I deleleted it by following a guide somewhere but I'm not sure honestly.

2) Trojan.Agent/Gen-Backdoor: So I was able to download Super antispyware, and running it in safe mode first found all sorts of trojans, plus this one it had like 600 copies in the sytem32 folder. Hidden files were not showing, even when choosing show in folder options, and even after changing a value in the registry it would sometimes change back. I removed all what Super found, but running again in normal mode , there are still traces, and it shows some malicious files opening in startup when viewing the startup list from msconfig

3) b.exe, shows up in the startup list too, did nothing about it..

4)Small.NEK, NOD32 keeps finding files infected with it in the temporary internet files folder, and keeps blocking some weird sites from downloading it. For some reason NOD32 was removed from my startup list and i cant figure out a way to get it back.

Thanks in advance.. Hope these things are fixed soon, and I really appreciate all the people on this forum working on helping other people..

BC AdBot (Login to Remove)

 


#2 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:33 AM

Posted 06 August 2009 - 10:47 PM

For ONE of your infections, please use this removal guide: http://www.bleepingcomputer.com/virus-remo...system-security

For your other infections, please wait until a BC Advisor is here to help you. Or, you could altogether wait for a BC Advisor to remove ALL infections.

#3 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 07 August 2009 - 06:11 AM

Thanks.. I guess system security is off my machine now, because the process isn't there, and I've deleted all the files mentioned, and all the registry values are not there.. Malware bytes isnt running though, I'm scanning with SUPERantispyware.. Waiting for the other problems, thanks anyways

EDIT: Hey am I doing something wrong here? Are there any extra details you need to know? Tell me please..

Edited by maged918, 08 August 2009 - 05:38 AM.


#4 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 09 August 2009 - 09:18 AM

Bump. My computer now is making sounds without anything being opened, b.exe wont be removed, using super antispyware in safe mode and deleting the preftech folder in windows caused .exe files to not open, i was able to fix that though.. Please help!

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:33 PM

Posted 09 August 2009 - 11:16 AM

Did you get SUPERAntiSpyware to run? If you did. . . please post the log.

Also, please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."
  • Go HERE, HERE, or HERE and download RootRepeal.zip to your Desktop.
Disconnect from the Internet or physically unplug your Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • At the top of the window, click Settings, then Options.
  • Click the Ssdt & Shadow Ssdt Tab.
  • Make sure the box next to "Only display hooked functions." is checked.
  • Click the "X" in the top right corner of the Settings window to close it.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
~Blade


In your next reply, please include the following:
SUPERAntiSpyware log
RootRepeal log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 09 August 2009 - 12:50 PM

RootRepeal Scan:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 20:33
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB28F0000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AC8000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP6936
Image Path: \Driver\PCI_PNP6936
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB18FA000 Size: 49152 File Visible: No Signed: -
Status: -

Name: rpmd570
Image Path: \Driver\rpmd570
Address: 0xB2A1E000 Size: 179648 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: spnn.sys
Image Path: spnn.sys
Address: 0xF8455000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Program Files\AOL Games\Caribbean Hideaway\CaribbeanHideaway.exe:{E64A8362-5274-6C3D-14F9-E891EA854F6A}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\AOL Games\Jane's Realty\JanesRealty.exe:{8127035C-864F-3AEA-23F9-37A933C3E30D}
Status: Visible to the Windows API, but not on disk.

Path: C:\Program Files\AOL Games\Pahelika Secret Legends\PahelikaRelease.exe:{F5CFEF8D-10E2-235C-0A7D-E5063E6A1940}
Status: Visible to the Windows API, but not on disk.

Processes
-------------------
Path: C:\WINDOWS\system32\svchost.exe
PID: 1416 Status: Hidden from the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: ipcmd.dll]
Process: <unknown name> (PID: 1148) Address: 0x00f90000 Size: 167936

Object: Hidden Code [ETHREAD: 0xffa8b598]
Process: System Address: 0xff612470 Size: 708

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82b701f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0xff60d1f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_CREATE]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_CLOSE]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_POWER]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: axf28fb4ȅఐ卆浩<, IRP_MJ_PNP]
Process: System Address: 0xff6061f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x82b711f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8290e1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x82bdd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x829ea1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82b721f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0xff7c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0xff7c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xff7c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xff7c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0xff7c31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0xff7c31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x829d31f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0xff6681f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_CREATE]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_CLOSE]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_READ]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_SHUTDOWN]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_CLEANUP]
Process: System Address: 0x827d2500 Size: 121

Object: Hidden Code [Driver: CdfsЅఆ䵃帐觸ﺨﺨ耀 䀀, IRP_MJ_PNP]
Process: System Address: 0x827d2500 Size: 121

==EOF==




SUPERAntispyware Log:


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/07/2009 at 07:11 AM

Application Version : 4.27.1000

Core Rules Database Version : 4041
Trace Rules Database Version: 1981

Scan type : Quick Scan
Total Scan Time : 01:16:42

Memory items scanned : 461
Memory threats detected : 5
Registry items scanned : 465
Registry threats detected : 29
File items scanned : 21082
File threats detected : 204

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\IPRIPV32.DLL
C:\WINDOWS\SYSTEM32\IPRIPV32.DLL
C:\WINDOWS\SYSTEM32\BNDMSS.EXE
C:\WINDOWS\SYSTEM32\BNDMSS.EXE

Adware.Vundo/Variant-MSFake
C:\WINDOWS\SYSTEM32\MSWINSCK.OCX
C:\WINDOWS\SYSTEM32\MSWINSCK.OCX

Trojan.Dropper/Win-NV
C:\WINDOWS\MSA.EXE
C:\WINDOWS\MSA.EXE

Trojan.Unclassified/MSXML71-Packed
C:\WINDOWS\SYSTEM32\MSXML71.DLL
C:\WINDOWS\SYSTEM32\MSXML71.DLL

Trojan.Agent/Gen-Backdoor[WinRes]
[exec] C:\WINDOWS\SYSTEM32\MSLSEQT.EXE
C:\WINDOWS\SYSTEM32\MSLSEQT.EXE
[load] C:\WINDOWS\SYSTEM32\MSUUXE.EXE
C:\WINDOWS\SYSTEM32\MSUUXE.EXE
[run] C:\WINDOWS\SYSTEM32\MSMHRX.EXE
C:\WINDOWS\SYSTEM32\MSMHRX.EXE
[load] C:\WINDOWS\SYSTEM32\MSTCA.EXE
C:\WINDOWS\SYSTEM32\MSTCA.EXE
[run] C:\WINDOWS\SYSTEM32\MSUHZLU.EXE
C:\WINDOWS\SYSTEM32\MSUHZLU.EXE
[load] C:\WINDOWS\SYSTEM32\MSUUXE.EXE
[run] C:\WINDOWS\SYSTEM32\MSMHRX.EXE
C:\DOCUMENTS AND SETTINGS\XPPRESP3\LOCAL SETTINGS\TEMP\XAYIJGFIK38.LOG
C:\DOCUMENTS AND SETTINGS\XPPRESP3\LOCAL SETTINGS\TEMP\XAYIJGFIK46.EXE
C:\WINDOWS\SYSTEM32\MSCGCPY.EXE
C:\WINDOWS\SYSTEM32\MSCII.EXE
C:\WINDOWS\SYSTEM32\MSCKDHHQ.EXE
C:\WINDOWS\SYSTEM32\MSCMN.EXE
C:\WINDOWS\SYSTEM32\MSCSNSM.EXE
C:\WINDOWS\SYSTEM32\MSCTGBTK.EXE
C:\WINDOWS\SYSTEM32\MSCXSLV.EXE
C:\WINDOWS\SYSTEM32\MSDCDO.EXE
C:\WINDOWS\SYSTEM32\MSDLNBC.EXE
C:\WINDOWS\SYSTEM32\MSDZOLB.EXE
C:\WINDOWS\SYSTEM32\MSEBGDO.EXE
C:\WINDOWS\SYSTEM32\MSECLSR.EXE
C:\WINDOWS\SYSTEM32\MSEEZNQ.EXE
C:\WINDOWS\SYSTEM32\MSEJPMD.EXE
C:\WINDOWS\SYSTEM32\MSELMKFX.EXE
C:\WINDOWS\SYSTEM32\MSETYQA.EXE
C:\WINDOWS\SYSTEM32\MSFETCVR.EXE
C:\WINDOWS\SYSTEM32\MSFMVL.EXE
C:\WINDOWS\SYSTEM32\MSFUGOF.EXE
C:\WINDOWS\SYSTEM32\MSFZUUN.EXE
C:\WINDOWS\SYSTEM32\MSFZXZDN.EXE
C:\WINDOWS\SYSTEM32\MSGFJ.EXE
C:\WINDOWS\SYSTEM32\MSGIGN.EXE
C:\WINDOWS\SYSTEM32\MSGIJ.EXE
C:\WINDOWS\SYSTEM32\MSGIUUG.EXE
C:\WINDOWS\SYSTEM32\MSGNBZQL.EXE
C:\WINDOWS\SYSTEM32\MSGTNW.EXE
C:\WINDOWS\SYSTEM32\MSHAQ.EXE
C:\WINDOWS\SYSTEM32\MSHCLW.EXE
C:\WINDOWS\SYSTEM32\MSHEUVE.EXE
C:\WINDOWS\SYSTEM32\MSHWDZ.EXE
C:\WINDOWS\SYSTEM32\MSHXTCPB.EXE
C:\WINDOWS\SYSTEM32\MSHZBFL.EXE
C:\WINDOWS\SYSTEM32\MSIDVEV.EXE
C:\WINDOWS\SYSTEM32\MSIHHT.EXE
C:\WINDOWS\SYSTEM32\MSIUDNE.EXE
C:\WINDOWS\SYSTEM32\MSIUV.EXE
C:\WINDOWS\SYSTEM32\MSIXTY.EXE
C:\WINDOWS\SYSTEM32\MSIXVRGB.EXE
C:\WINDOWS\SYSTEM32\MSJAFGPT.EXE
C:\WINDOWS\SYSTEM32\MSJBLF.EXE
C:\WINDOWS\SYSTEM32\MSJLVPU.EXE
C:\WINDOWS\SYSTEM32\MSJMCMY.EXE
C:\WINDOWS\SYSTEM32\MSJQQUWG.EXE
C:\WINDOWS\SYSTEM32\MSJSZUKT.EXE
C:\WINDOWS\SYSTEM32\MSJURZS.EXE
C:\WINDOWS\SYSTEM32\MSJXFJ.EXE
C:\WINDOWS\SYSTEM32\MSJXR.EXE
C:\WINDOWS\SYSTEM32\MSJYDOH.EXE
C:\WINDOWS\SYSTEM32\MSJZJMU.EXE
C:\WINDOWS\SYSTEM32\MSKARJ.EXE
C:\WINDOWS\SYSTEM32\MSKCUNJ.EXE
C:\WINDOWS\SYSTEM32\MSKEY.EXE
C:\WINDOWS\SYSTEM32\MSKGFHEF.EXE
C:\WINDOWS\SYSTEM32\MSKJPI.EXE
C:\WINDOWS\SYSTEM32\MSKQE.EXE
C:\WINDOWS\SYSTEM32\MSKRRIXF.EXE
C:\WINDOWS\SYSTEM32\MSKSO.EXE
C:\WINDOWS\SYSTEM32\MSKYEVT.EXE
C:\WINDOWS\SYSTEM32\MSKYSNDX.EXE
C:\WINDOWS\SYSTEM32\MSLIP.EXE
C:\WINDOWS\SYSTEM32\MSLMPY.EXE
C:\WINDOWS\SYSTEM32\MSLMUFA.EXE
C:\WINDOWS\SYSTEM32\MSLWFBR.EXE
C:\WINDOWS\SYSTEM32\MSLYBPEC.EXE
C:\WINDOWS\SYSTEM32\MSMDOTSI.EXE
C:\WINDOWS\SYSTEM32\MSMNGA.EXE
C:\WINDOWS\SYSTEM32\MSMPB.EXE
C:\WINDOWS\SYSTEM32\MSMSXFF.EXE
C:\WINDOWS\SYSTEM32\MSMTGR.EXE
C:\WINDOWS\SYSTEM32\MSMTUVF.EXE
C:\WINDOWS\SYSTEM32\MSMUQQF.EXE
C:\WINDOWS\SYSTEM32\MSMXUEX.EXE
C:\WINDOWS\SYSTEM32\MSNCCQ.EXE
C:\WINDOWS\SYSTEM32\MSNDX.EXE
C:\WINDOWS\SYSTEM32\MSNFPO.EXE
C:\WINDOWS\SYSTEM32\MSNGM.EXE
C:\WINDOWS\SYSTEM32\MSNIC.EXE
C:\WINDOWS\SYSTEM32\MSNQHM.EXE
C:\WINDOWS\SYSTEM32\MSNRLGKI.EXE
C:\WINDOWS\SYSTEM32\MSNVWNG.EXE
C:\WINDOWS\SYSTEM32\MSNVX.EXE
C:\WINDOWS\SYSTEM32\MSNXWLS.EXE
C:\WINDOWS\SYSTEM32\MSNZB.EXE
C:\WINDOWS\SYSTEM32\MSNZBC.EXE
C:\WINDOWS\SYSTEM32\MSOEP.EXE
C:\WINDOWS\SYSTEM32\MSOHS.EXE
C:\WINDOWS\SYSTEM32\MSOIRT.EXE
C:\WINDOWS\SYSTEM32\MSOSGUAN.EXE
C:\WINDOWS\SYSTEM32\MSOUY.EXE
C:\WINDOWS\SYSTEM32\MSPIBXK.EXE
C:\WINDOWS\SYSTEM32\MSPKCJ.EXE
C:\WINDOWS\SYSTEM32\MSPMUBX.EXE
C:\WINDOWS\SYSTEM32\MSPNBRM.EXE
C:\WINDOWS\SYSTEM32\MSPNSCE.EXE
C:\WINDOWS\SYSTEM32\MSPSWS.EXE
C:\WINDOWS\SYSTEM32\MSPSX.EXE
C:\WINDOWS\SYSTEM32\MSPYQHL.EXE
C:\WINDOWS\SYSTEM32\MSPYTSR.EXE
C:\WINDOWS\SYSTEM32\MSQFL.EXE
C:\WINDOWS\SYSTEM32\MSQHM.EXE
C:\WINDOWS\SYSTEM32\MSQKNPZG.EXE
C:\WINDOWS\SYSTEM32\MSQLKB.EXE
C:\WINDOWS\SYSTEM32\MSQPJA.EXE
C:\WINDOWS\SYSTEM32\MSQQWLJL.EXE
C:\WINDOWS\SYSTEM32\MSQRZ.EXE
C:\WINDOWS\SYSTEM32\MSQSHJ.EXE
C:\WINDOWS\SYSTEM32\MSQUKNVQ.EXE
C:\WINDOWS\SYSTEM32\MSQXWHYN.EXE
C:\WINDOWS\SYSTEM32\MSRADD.EXE
C:\WINDOWS\SYSTEM32\MSREHKDR.EXE
C:\WINDOWS\SYSTEM32\MSRFT.EXE
C:\WINDOWS\SYSTEM32\MSRHWQ.EXE
C:\WINDOWS\SYSTEM32\MSRKYWK.EXE
C:\WINDOWS\SYSTEM32\MSRWI.EXE
C:\WINDOWS\SYSTEM32\MSRZWT.EXE
C:\WINDOWS\SYSTEM32\MSSNH.EXE
C:\WINDOWS\SYSTEM32\MSSQYF.EXE
C:\WINDOWS\SYSTEM32\MSSTIPFP.EXE
C:\WINDOWS\SYSTEM32\MSSWXLM.EXE
C:\WINDOWS\SYSTEM32\MSSYQE.EXE
C:\WINDOWS\SYSTEM32\MSTAAHSA.EXE
C:\WINDOWS\SYSTEM32\MSTBRRT.EXE
C:\WINDOWS\SYSTEM32\MSTFRFSE.EXE
C:\WINDOWS\SYSTEM32\MSTMM.EXE
C:\WINDOWS\SYSTEM32\MSTPE.EXE
C:\WINDOWS\SYSTEM32\MSTRK.EXE
C:\WINDOWS\SYSTEM32\MSTRXM.EXE
C:\WINDOWS\SYSTEM32\MSTZIRJK.EXE
C:\WINDOWS\SYSTEM32\MSUBUJ.EXE
C:\WINDOWS\SYSTEM32\MSUEEW.EXE
C:\WINDOWS\SYSTEM32\MSUJDE.EXE
C:\WINDOWS\SYSTEM32\MSUJTP.EXE
C:\WINDOWS\SYSTEM32\MSUKIGMD.EXE
C:\WINDOWS\SYSTEM32\MSUPQVL.EXE
C:\WINDOWS\SYSTEM32\MSUVEBJ.EXE
C:\WINDOWS\SYSTEM32\MSUYW.EXE
C:\WINDOWS\SYSTEM32\MSUZRAH.EXE
C:\WINDOWS\SYSTEM32\MSUZU.EXE
C:\WINDOWS\SYSTEM32\MSUZZL.EXE
C:\WINDOWS\SYSTEM32\MSVARAMJ.EXE
C:\WINDOWS\SYSTEM32\MSVBU.EXE
C:\WINDOWS\SYSTEM32\MSVDR.EXE
C:\WINDOWS\SYSTEM32\MSVNDE.EXE
C:\WINDOWS\SYSTEM32\MSVQVU.EXE
C:\WINDOWS\SYSTEM32\MSVSSRA.EXE
C:\WINDOWS\SYSTEM32\MSWBGBO.EXE
C:\WINDOWS\SYSTEM32\MSWCCR.EXE
C:\WINDOWS\SYSTEM32\MSWIVDW.EXE
C:\WINDOWS\SYSTEM32\MSWMR.EXE
C:\WINDOWS\SYSTEM32\MSWNEEJM.EXE
C:\WINDOWS\SYSTEM32\MSWSQ.EXE
C:\WINDOWS\SYSTEM32\MSWVBQTS.EXE
C:\WINDOWS\SYSTEM32\MSWWSGD.EXE
C:\WINDOWS\SYSTEM32\MSXEPKT.EXE
C:\WINDOWS\SYSTEM32\MSXOHIY.EXE
C:\WINDOWS\SYSTEM32\MSXRRSS.EXE
C:\WINDOWS\SYSTEM32\MSXRVHT.EXE
C:\WINDOWS\SYSTEM32\MSXRXPQO.EXE
C:\WINDOWS\SYSTEM32\MSXTLEER.EXE
C:\WINDOWS\SYSTEM32\MSXUP.EXE
C:\WINDOWS\SYSTEM32\MSXYVOY.EXE
C:\WINDOWS\SYSTEM32\MSXZUUCG.EXE
C:\WINDOWS\SYSTEM32\MSYBW.EXE
C:\WINDOWS\SYSTEM32\MSYESGN.EXE
C:\WINDOWS\SYSTEM32\MSYLW.EXE
C:\WINDOWS\SYSTEM32\MSYSGN.EXE
C:\WINDOWS\SYSTEM32\MSYYPO.EXE
C:\WINDOWS\SYSTEM32\MSZCA.EXE
C:\WINDOWS\SYSTEM32\MSZDXRG.EXE
C:\WINDOWS\SYSTEM32\MSZIC.EXE
C:\WINDOWS\SYSTEM32\MSZIRP.EXE
C:\WINDOWS\SYSTEM32\MSZRXQ.EXE
C:\WINDOWS\SYSTEM32\MSZRYU.EXE
C:\WINDOWS\SYSTEM32\MSZSN.EXE
C:\WINDOWS\SYSTEM32\MSZTIM.EXE
C:\WINDOWS\SYSTEM32\MSZUS.EXE
C:\WINDOWS\SYSTEM32\MSZYHA.EXE

Trojan.Unclassified/MSXML71
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d}
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}#Install
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\inprocserver32
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\inprocserver32#ThreadingModel
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\progid
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\programmable
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\typelib
HKCR\CLSID\{500BCA15-57A7-4EAF-8143-8C619470B13D}\versionindependentprogid
HKCR\XML.XML.1
HKCR\XML.XML.1\clsid
HKCR\XML.XML
HKCR\XML.XML\clsid
HKCR\XML.XML\curver
HKCR\TypeLib\{E24211B3-A78A-C6A9-D317-70979ACE5058}
HKCR\TypeLib\{E24211B3-A78A-C6A9-D317-70979ACE5058}\.0
HKU\s-1-5-21-1659004503-1454471165-839522115-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d}
C:\DOCUMENTS AND SETTINGS\XPPRESP3\LOCAL SETTINGS\TEMP\MSXML71.DLL

Rootkit.Mailer/Gen
HKLM\system\controlset002\services\a2fd3a99
C:\WINDOWS\SYSTEM32\DRIVERS\A2FD3A99.SYS
HKLM\system\controlset003\services\a2fd3a99

Rootkit.Agent/Gen-Rustock
HKLM\system\controlset002\services\d306ef5e
C:\WINDOWS\SYSTEM32\DRIVERS\D306EF5E.SYS

Adware.Tracking Cookie
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@russianpornoxxx[1].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@www.teeniepornotube[1].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@www.pornflvs[1].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@teeniepornotube[1].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@adultsex[1].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@www.splifyxxxclips[1].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@stat.winrar2009[2].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@www.nakedtighties[3].txt
C:\Documents and Settings\XPPRESP3\Cookies\xppresp3@www.nakedtighties[1].txt

Trojan.Agent/Gen
HKU\s-1-5-21-1659004503-1454471165-839522115-1001\SOFTWARE\XML

Trojan.Agent/Gen-FraudLoad
C:\DOCUMENTS AND SETTINGS\XPPRESP3\LOCAL SETTINGS\TEMP\204.EXE

Trojan.Downloader-Gen/A
C:\DOCUMENTS AND SETTINGS\XPPRESP3\LOCAL SETTINGS\TEMP\A.EXE

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:33 PM

Posted 10 August 2009 - 04:53 PM

Hmm. . . I think I see the baddie. . . but let's double check.

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
~Blade


In your next reply, please include the following:
sarscan.log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 11 August 2009 - 11:06 AM

Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 11/08/2009 at 16:21:31
User "XPPRESP3" on computer "WW"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Hidden: process C:\WINDOWS\system32\svchost.exe
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Stopped logging on 11/08/2009 at 16:29:39


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 11/08/2009 at 16:29:56
User "XPPRESP3" on computer "WW"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Error: Could not start the helper process - unable to complete scan.
Please restart and try again.
Incorrect function.
Info: Starting registry scan.
Stopped logging on 11/08/2009 at 16:30:32


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 11/08/2009 at 16:31:14
User "XPPRESP3" on computer "WW"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Hidden: process C:\WINDOWS\system32\svchost.exe
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\27\27-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v27-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v27-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\28\28-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v28-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v28-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\29\29-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v29-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v29-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\33\33-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v33-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v33-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\34\34-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v34-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v34-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\35\35-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v35-{CED661B5-DE4A-4F6E-A591-DFCD3EE62C13}-v35-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\maged918@hotmail.com\SharingMetadata\mahashalaby140@hotmail.com\DFSR\Staging\CS{34104D15-4072-7800-F7EE-730AB18392A2}\01\10-{34104D15-4072-7800-F7EE-730AB18392A2}-v1-{D2AB502E-EF8D-46A9-BD70-805712A51228}-v10-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\maged918@hotmail.com\SharingMetadata\mahashalaby140@hotmail.com\DFSR\Staging\CS{34104D15-4072-7800-F7EE-730AB18392A2}\12\19-{C645EE7C-DE4B-4AF3-8C60-ED5797E25434}-v12-{74026315-51F3-40AE-861C-4259C3118D8A}-v19-Downloaded.frx
Hidden: file C:\Program Files\Native Instruments\Traktor\Traktor.exe.BAK
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\delicaterose86@hotmail.com\SharingMetadata\exoterminator@yahoo.com\DFSR\Staging\CS{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}\01\10-{74A49E8A-790E-5B1A-EDC9-49EFE3E3E486}-v1-{09606588-2F94-4206-B861-CD5D231B159B}-v10-Downloaded.frx
Hidden: file C:\Documents and Settings\XPPRESP3\Local Settings\Application Data\Microsoft\Messenger\maged918@hotmail.com\SharingMetadata\ahmedalian12@hotmail.com\DFSR\Staging\CS{C4A29176-D88C-F753-2546-B087916708EC}\01\11-{C4A29176-D88C-F753-2546-B087916708EC}-v1-{D2AB502E-EF8D-46A9-BD70-805712A51228}-v11-Downloaded.frx
Hidden: file C:\Program Files\Java\jre6\bin\rmid.exe
Hidden: file C:\WINDOWS\Temp\Perflib_Perfdata_290.dat
Hidden: file C:\WINDOWS\system32\drivers\c67bbc2d.sys
Hidden: file C:\WINDOWS\system32\vhosts.exe
Info: Starting disk scan of D: (NTFS).
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\gdi32.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\msasn1.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\msgina.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\schannel.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\h323.tsp
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\h323msp.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\mf3216.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\netapi32.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\callcont.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\mst120.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\nmcom.dll
Hidden: file D:\WINDOWS\$NtUninstallKB835732$\helpctr.exe
Hidden: file D:\WINDOWS\$NtUninstallKB833330$\Blastcln\blastcln.exe
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\comuid.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\es.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\ole32.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\rpcss.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\txflog.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\catsrv.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\colbact.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\comadmin.dll
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\comrepl.exe
Hidden: file D:\WINDOWS\$NtUninstallKB828741$\migregdb.exe
Info: Starting disk scan of E: (FAT).
Hidden: file E:\Program Files\Adobe\Adobe Bridge CS3\AdobeLM_libFNP.dll
Info: Starting disk scan of F: (FAT).
Info: Starting disk scan of G: (FAT).
Info: Starting disk scan of H: (FAT).
Info: Starting disk scan of I: (FAT).
Stopped logging on 11/08/2009 at 17:35:02

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:33 PM

Posted 12 August 2009 - 06:14 PM

Let's try running Malwarebytes this way.

If you have problems getting MBAM to execute after installation, navigate to the folder MBAM installed to and rename mbam.exe to winlogon.exe. Then double click on the file you just renamed to launch the program. Once MBAM is running, make sure you've updated it and then run a Quick scan and post the log back please.

~Blade


In your next reply, please include the following:
Malwarebytes log

Edited by Blade Zephon, 12 August 2009 - 06:15 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 13 August 2009 - 05:12 PM

It gives me an error during installation (even though it finishes) and the same error when opening it. (I did rename it)

"Run-time error "0" " with a title bar of "vbAccelerator SGrid II control"

then another error: "Run-time error 440 : Automation error"

BTW, that was the same error appearing to me before when attempting to run in safe mode. I automatically assumed that this was because of the infections..

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:33 PM

Posted 13 August 2009 - 06:07 PM

This infection is becoming a very unique situation. I think more powerful tools will be required to defeat it; tools we don't use in AII. With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 14 August 2009 - 12:49 PM

So I posted he topic, but the DDS told me after running and showing the cmd window : "The batch file could not be found"
Oh and by the way, thanks for everything

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:33 PM

Posted 14 August 2009 - 01:08 PM

Try DDS in safe mode

Rename it before saving it to your desktop

Scan.scr
Chewy

No. Try not. Do... or do not. There is no try.

#14 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,805 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:33 PM

Posted 14 August 2009 - 01:23 PM

Hello maged918,

Since your topic in the HiJack This forum contains no logs and because you stated so here as well, I'm going to delete that topic.

To answer the other question in that post, you should provide a succinct description of your current problems, state that you received assistance here and include the link to this topic.

If you are unable to run DDS in Safe Mode, please post back here and you will receive further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#15 maged918

maged918
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:11:33 AM

Posted 14 August 2009 - 01:47 PM

I'm on safe mode right now, and dds (even after renaming it) isn't working either. It's giving me: 'The system can't find the file specified"

And I'll keep that in mind when posting a new topic orange blossom, thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users