Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect Malware.... Help... Please....


  • Please log in to reply
35 replies to this topic

#1 Sheo

Sheo

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 03:04 PM

This is my problem..

This has been a problem for months and I never payed much attention to it cause I lost my McAfee antivirus so I just haven't been using my computer as much as of late...

But anyway the issue is Google redirects me to random pages, Malwarebytes wont run after the install, AdAware stopped working, wont let me update it, my computer will not start up as quickly as before, Check disk wont check the disk for errors when I restart even though I asked it to, like after the windows loading screen it flashes it for about a second and it finishes and moves on to the log on screen. oh and I cant forget the defrag, man this has been a pain, alright that wont run either.

>.< I havent gotten sleep cause of this and now I decided to ask for help, please anyone all im doing is trying to tackle each issue one at a time but nothing is working for me. I've read all over the internet about this issue and its Malware.... Help...

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 neomage

neomage

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 18 August 2009 - 03:31 PM

Hello, Sheo.
Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



:flowers: We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

:thumbsup: Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
In your next reply, please include the following:
  • RootRepeal.txt
  • SUPERAntiSpyware Scan Log

Regards,
neomage

#3 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 03:44 PM

Okay, I'll start it up right away!

#4 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 03:50 PM

sorry.. SAS link didnt let me download it right off the site so I tried cnet and it downloaded, now when I try to run it says it encountered an error and it needs to close.... man what a headache this thing is..

#5 neomage

neomage

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 18 August 2009 - 03:53 PM

Please follow in order numbered you try SAS in safe mode.

#6 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 03:55 PM

Please follow in order numbered you try SAS in safe mode.


Um... it downloaded but it encounters an error before it installs, would you like me to start up windows in safe mode and try once more?

#7 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 04:11 PM

I'm on my iPhone and I just tried to install SAS in safe mode, the same encountered error... What do I do...

#8 neomage

neomage

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 18 August 2009 - 04:23 PM

Skip SAS for now complete and post step 1.

#9 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 04:43 PM

sorry i took so long but i scanned it once more just in case, heres the report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/18 17:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA14F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B19000 Size: 8192 File Visible: No Signed: -
Status: -

Name: gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys
Address: 0xAA68F000 Size: 90112 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PCI_PNP5816
Image Path: \Driver\PCI_PNP5816
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6B61000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spjy.sys
Image Path: spjy.sys
Address: 0xF74CE000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\gxvxccounter
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gxvxciqqojisrqppjeuwputobigftmewpdofu.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\mcmsc_kkf2f2renbw5sxd
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\WINDOWS\system32\drivers\gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcirqdxlturdwxgoaqmncsaoyjawppyiln.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcjepfqeodlsjwrxsadwvakrlsuntkoyuo.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcneyubybppqdtkkcuacpotyxnjclypepd.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gxvxcyxltjnpsxmaogplapkcowupvaxinaeyo.sys
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spjy.sys" at address 0xf74cf0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spjy.sys" at address 0xf74edca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spjy.sys" at address 0xf74ee030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spjy.sys" at address 0xf74cf0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spjy.sys" at address 0xf74ee108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spjy.sys" at address 0xf74edf88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spjy.sys" at address 0xf74ee19a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x873d51f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x86a66500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x86bcc500 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_CREATE]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_CLOSE]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_POWER]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: ay7q68f6Ѕ扏煓Ёం浍瑓飀ူ, IRP_MJ_PNP]
Process: System Address: 0x870001f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x870591f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x873671f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x873d71f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x870371f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873681f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_CREATE]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_CLOSE]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_POWER]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: viamraid, IRP_MJ_PNP]
Process: System Address: 0x873d61f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x86c751f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x86c751f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86c751f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86c751f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x86c751f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x86c751f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x870d21f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x86bde1f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_CREATE]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_CLOSE]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_READ]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_CLEANUP]
Process: System Address: 0x86a9f500 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_PNP]
Process: System Address: 0x86a9f500 Size: 121

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys

==EOF==

#10 neomage

neomage

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 18 August 2009 - 05:06 PM

Hello, Sheo.
Please remove all the files: gxvxcfo*.dll and gxvxcfo*.sys with rootkit tool below.


:flowers: Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
In your next reply, please include the following:
  • sarscan.log


:thumbsup: Remake New RootRepeal log.


Regards,
neomage

Edited by neomage, 18 August 2009 - 05:08 PM.


#11 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 05:37 PM

Scan is taking longer than I expected, will post both reports once im done. Thanks

#12 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 06:27 PM

There was nothing there that recomended deletion.. I'll run it once more and send the results.. I hope I'm doing this right...

#13 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 07:09 PM

Alright, I scanned it twice... with the resart in between... the program is still open and I dont know what to check off but this is the report...



Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/18/2009 at 18:47:33 PM
User "Rocky" on computer "ROCKY"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gxvxcserv.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\01\11-{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}-v1-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v11-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\12\12-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v12-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v12-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\13\13-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v13-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v13-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\14\14-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v14-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v14-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\15\15-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v15-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v15-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\16\16-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v16-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v16-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\17\17-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v17-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v17-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\18\18-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v18-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v18-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\19\19-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v19-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v19-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\20\20-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v20-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v20-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\21\21-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v21-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v21-Downloaded.frx
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\Rocky\My Documents\My Music\Music\Panic At The Disco - 2 Albums [CHANNEL NEO]\Panic at the Disco - A Fever You Cant Sweat Out (2007)\12 - There's a Good Reason These Tables Are Numbered Honey, You Just Haven't Thought Of It Yet.mp3
Hidden: file C:\WINDOWS\system32\drivers\gxvxcyxltjnpsxmaogplapkcowupvaxinaeyo.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcjepfqeodlsjwrxsadwvakrlsuntkoyuo.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcneyubybppqdtkkcuacpotyxnjclypepd.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcirqdxlturdwxgoaqmncsaoyjawppyiln.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys
Hidden: file C:\WINDOWS\system32\gxvxciqqojisrqppjeuwputobigftmewpdofu.dll
Hidden: file C:\WINDOWS\system32\gxvxccounter
Info: Starting disk scan of F: (FAT).
Info: Starting disk scan of N: (FAT).
Stopped logging on 8/18/2009 at 19:17:32 PM


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/18/2009 at 19:31:03 PM
User "Rocky" on computer "ROCKY"
Windows version 5.1 SP 2.0 Service Pack 2 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gxvxcserv.sys
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\01\11-{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}-v1-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v11-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\12\12-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v12-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v12-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\13\13-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v13-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v13-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\14\14-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v14-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v14-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\15\15-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v15-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v15-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\16\16-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v16-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v16-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\17\17-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v17-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v17-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\18\18-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v18-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v18-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\19\19-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v19-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v19-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\20\20-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v20-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v20-Downloaded.frx
Hidden: file C:\Documents and Settings\Rocky\Local Settings\Application Data\Microsoft\Messenger\insane_krow@hotmail.com\SharingMetadata\getto.d@hotmail.com\DFSR\Staging\CS{9EF0F301-88CF-5D90-AB7D-2BA09ED890FE}\21\21-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v21-{A265A562-ECDF-4A59-B58B-13678B54E1C5}-v21-Downloaded.frx
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Hidden: file C:\Documents and Settings\Rocky\My Documents\My Music\Music\Panic At The Disco - 2 Albums [CHANNEL NEO]\Panic at the Disco - A Fever You Cant Sweat Out (2007)\12 - There's a Good Reason These Tables Are Numbered Honey, You Just Haven't Thought Of It Yet.mp3
Hidden: file C:\WINDOWS\system32\drivers\gxvxcyxltjnpsxmaogplapkcowupvaxinaeyo.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcjepfqeodlsjwrxsadwvakrlsuntkoyuo.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcneyubybppqdtkkcuacpotyxnjclypepd.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcirqdxlturdwxgoaqmncsaoyjawppyiln.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys
Hidden: file C:\WINDOWS\system32\gxvxciqqojisrqppjeuwputobigftmewpdofu.dll
Hidden: file C:\WINDOWS\system32\gxvxccounter
Info: Starting disk scan of F: (FAT).
Info: Starting disk scan of N: (FAT).
Stopped logging on 8/18/2009 at 20:01:44 PM

#14 neomage

neomage

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:20 AM

Posted 18 August 2009 - 07:27 PM

Fix these items with Sophos and continue with step 2.

Hidden: registry item \HKEY_LOCAL_MACHINE\SOFTWARE\gxvxc
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gxvxcserv.sys
Hidden: registry item \HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gxvxcserv.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcyxltjnpsxmaogplapkcowupvaxinaeyo.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcjepfqeodlsjwrxsadwvakrlsuntkoyuo.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcneyubybppqdtkkcuacpotyxnjclypepd.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcirqdxlturdwxgoaqmncsaoyjawppyiln.sys
Hidden: file C:\WINDOWS\system32\drivers\gxvxcfodjklyxmtakxyxvkbmlwaimokqjrwqb.sys
Hidden: file C:\WINDOWS\system32\gxvxciqqojisrqppjeuwputobigftmewpdofu.dll
Hidden: file C:\WINDOWS\system32\gxvxccounter



#15 Sheo

Sheo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Miami
  • Local time:01:20 AM

Posted 18 August 2009 - 07:31 PM

okay this is what i can do, everything other than the first 3 hidden registry items... it says no on removable and i cant check them




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users