Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    China's National Cybersecurity Standards Considered a Risk for Foreign Firms

Featured Deal: This Free Course Lets You Achieve Digital Transformation for Your Company

Photo

The Tale of 9129837.exe

Started by THRILLHO , Aug 31 2009 12:59 PM

  • Please log in to reply
7 replies to this topic

#1 THRILLHO

THRILLHO

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:12:30 AM

Posted 31 August 2009 - 12:59 PM

Here's what i know:

Posted Image

this came from out of nowhere and gave me the usual bogus messages and started installing its malware removal software

i deleted the newly installed junk as all it did was direct me to where i could purchase some seedy looking anti-adware for an exorbitant amount

then i ran malwarbytes' and got the results pictured above, i clicked 'remove selected' just as i noticed some of the locations were in HKLM ...oops

so my machine turned into a lovely blue screen of death exhibit

since then ive hunted down my xp disc and repaired windows. but i ran malwarebytes' again and everything is still there

here's what io don't know:

what any of this actually is or how to safely remove it

Edited by The weatherman, 31 August 2009 - 04:31 PM.
Moved from HJT to a more appropriate forum. Tw

BC AdBot (Login to Remove)

 

#2 THRILLHO

THRILLHO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:12:30 AM

Posted 15 September 2009 - 06:55 PM

ok, so as ive been waiting patiently (for more than two weeks) for some kind of response on here, my problem has gotten progressively worse

i am now plagued with all sorts of things popping up calling themselves cru629 and braivax

this is really pissing me off now, as this is my work computer. its optimal performance is crucial to my work and to getting paid :thumbsup:

the machine has become intollerably slow so ive taken drastic measures
using killbox (in order to replace it with a dummy), ive gone medieval on everything scanned by malwarebytes

this seems to be effective against the programs' tendancy to reinstall itself, but now i cannot start up my machine without first acknowledging about 35 pop up messages telling me that the virus has encountered some errors

what is it thats telling braivax, cru629, and 9129837 to execute on startup? whats telling them to run in my background?? and how the hell do i kill it!!???

please help me soon

#3 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:30 AM

Posted 16 September 2009 - 08:30 PM

Sorry you were overlooked
Let's try these two scans


ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

----------------------------

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 THRILLHO

THRILLHO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:12:30 AM

Posted 18 September 2009 - 11:39 PM

done done and done!
thank you very much man those are some well written and detailed instructions :flowers:

cleaned with atf and it seemed to be successful

then i used your sas method and here is my log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/17/2009 at 07:52 PM

Application Version : 4.29.1002

Core Rules Database Version : 4108
Trace Rules Database Version: 2048

Scan type : Complete Scan
Total Scan Time : 01:44:47

Memory items scanned : 194
Memory threats detected : 0
Registry items scanned : 4882
Registry threats detected : 7
File items scanned : 43449
File threats detected : 15

Trojan.Dropper/Win-NV
[mset] C:\WINDOWS\SYSTEM32\MSET.EXE
C:\WINDOWS\SYSTEM32\MSET.EXE

Trojan.Dropper/Gen-NV
[braviax] C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
C:\WINDOWS\SYSTEM32\BRAVIAX.EXE
C:\!KILLBOX\BRAVIAX.EXE
C:\WINDOWS\BRAVIAX.EXE

Trojan.Unclassified/BraviaX
HKU\S-1-5-21-1547161642-1409082233-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ X ]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#braviax [ braviax.exe ]

Rogue.XP AntiSpyware2009-Trace
C:\WINDOWS\system32\_scui.cpl

Rogue.XP AntiSpyware 2009
HKU\S-1-5-21-1547161642-1409082233-839522115-1005\Control Panel\don't load#wscui.cpl [ No ]

Rogue.PCAntiSpyware2010
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run#PC Antispyware 2010 [ "C:\Program Files\PC_Antispyware2010\PC_Antispyware2010.exe" /hide ]

Rogue.AntiVirusPro2010
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run#Antivirus Pro 2010 [ "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide ]

Trojan.Downloader-Gen/Win
C:\!KILLBOX\CRU629.DAT
C:\!KILLBOX\CRU629.DAT( 4)
C:\WINDOWS\CRU629.DAT
C:\WINDOWS\SYSTEM32\CRU629.DAT

Trojan.Dropper/Sys-NV
C:\!KILLBOX\SYS32_NOV.EXE

Rootkit.BraviaX-Installer
C:\WINDOWS\DRIVERS\BEEP.SYS
C:\WINDOWS\SYSTEM32\DLLCACHE\BEEP.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\BEEP.SYS

Unclassified.Unknown Origin
C:\WINDOWS\SYSTEM32\SYS32_~1.EXE

Trojan.Agent/Gen-FraudTool
C:\WINDOWS\SYSTEM32\WISDSTR.EXE

and lastly scanned using dr. web. here is the log for that:

autorun.inf;e:;Probably Win32.HLLW.Autoruner.corrupted;Moved.;
ikowin32.exe;c:\documents and settings\bryan_2\start menu\programs\startup;Trojan.Botnetlog.11;Deleted.;
braviax.exe( 1);C:\!KillBox;Trojan.Fakealert.5013;Deleted.;
braviax.exe( 2);C:\!KillBox;Trojan.Fakealert.5013;Deleted.;
braviax.exe( 3);C:\!KillBox;Trojan.Fakealert.5013;Deleted.;
wisdstr.exe;C:\!KillBox;Trojan.Fakealert.4747;Incurable.Moved.;
SDFix2.exe\SDFix\apps\Process.exe;C:\Program Files\SDFix2.exe;Tool.Prockill;;
SDFix2.exe;C:\Program Files;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0006160.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006162.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006171.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006173.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.Fakealert.5013;Deleted.;
A0006174.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006179.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006180.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006181.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006183.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.Fakealert.5013;Deleted.;
A0006184.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.Fakealert.5013;Deleted.;
A0006185.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006190.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006191.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006192.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0006389.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006390.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006391.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006403.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006414.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006415.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006451.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006458.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006459.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006464.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006465.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006466.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006468.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006469.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006470.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006471.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.DownLoad.41506;Deleted.;
A0006477.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006478.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006479.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.4747;Incurable.Moved.;
A0006485.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006486.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006514.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006515.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0006540.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006541.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006566.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006567.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006596.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP14;Trojan.Fakealert.5013;Deleted.;
A0006597.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP14;Trojan.Fakealert.5013;Deleted.;
A0006602.cpl;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP14;Trojan.Fakealert.5006;Deleted.;
A0006629.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5013;Deleted.;
A0006630.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5013;Deleted.;
A0006635.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.DownLoad.41506;Deleted.;
A0006636.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5013;Deleted.;
A0006638.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.DownLoad.41506;Deleted.;
A0006639.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.NtRootKit.3206;Deleted.;
A0006640.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.NtRootKit.3206;Deleted.;
A0006641.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.NtRootKit.3206;Deleted.;
A0006643.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5015;Deleted.;
A0006655.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Botnetlog.11;Deleted.;
A0006656.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.4747;Incurable.Moved.;
A0006657.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15\A0006657.exe;Tool.Prockill;;
A0006657.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Archive contains infected objects;Moved.;
A0004113.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.PWS.Haiuy.28;Deleted.;
A0004116.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.Fakealert.4960;Deleted.;
A0004124.dll;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.DownLoad.45065;Deleted.;
A0004139.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.Fakealert.4511;Deleted.;
A0004140.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.DownLoad.41506;Deleted.;
A0004146.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.NtRootKit.3206;Deleted.;
A0005142.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.Fakealert.5013;Deleted.;
A0005143.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005147.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005149.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005150.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005154.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.Fakealert.5013;Deleted.;
A0005155.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.Fakealert.5013;Deleted.;
A0005156.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005161.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005162.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005163.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005164.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.DownLoad.41506;Deleted.;
A0005165.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.DownLoad.41506;Deleted.;
A0006157.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0093913.exe/file.exe\data003;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624\A0093913.exe/file.exe;Trojan.Popuper.14493;;
A0093913.exe/file.exe\data004;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624\A0093913.exe/file.exe;Trojan.Virtumod.based.21;;
file.exe;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624;Archive contains infected objects;;
A0093913.exe;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624;Archive contains infected objects;Moved.;
tt.exe;E:\Games\torus trooper\tt;Win32.HLLM.Limar.2683;Deleted.;

and that is that. thanks again! :thumbsup:

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:01:30 AM

Posted 19 September 2009 - 06:28 PM

\BRAVIAX.EXE = Not good

Did you run Dr Web Cureit?

We also need to run this:


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Right-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by garmanma, 19 September 2009 - 06:29 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 THRILLHO

THRILLHO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:12:30 AM

Posted 04 October 2009 - 05:13 PM

yea i used webcureit

heres the rootrepeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/04 17:54
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP1
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEFC73000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A74000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP6168
Image Path: \Driver\PCI_PNP6168
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spea.sys
Image Path: spea.sys
Address: 0xF8419000 Size: 1040384 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: tatertot.scr.sys
Image Path: C:\WINDOWS\System32\drivers\tatertot.scr.sys
Address: 0xEF9C6000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\gasfkyesrubqje.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyhsngidme.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkymdsdcjdx.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkynadbmfhe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkytmqxyvrq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkytkcqlbypky.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkywibccxnnvs.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkyrmltacfm.sys
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkynadbmfhe.dll]
Process: svchost.exe (PID: 880) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: gasfkywibccxnnvs.tmpll]
Process: Explorer.EXE (PID: 1352) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: gasfkytmqxyvrq.dll]
Process: firefox.exe (PID: 1260) Address: 0x01110000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x823731f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x822381f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x822121f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x823751f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x821881f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x823e41f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8212a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8212a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8212a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8212a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8212a500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8212a500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8221e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82126388 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_READ]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x81d0f1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఆ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x81d0f1f8 Size: 121

Hidden Services
-------------------
Service Name: gasfkyfvpyxmpc
Image Path: C:\WINDOWS\system32\drivers\gasfkyrmltacfm.sys

==EOF==

#7 THRILLHO

THRILLHO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:12:30 AM

Posted 17 October 2009 - 02:19 PM

here it is again in case u didnt see it in the other post

and lastly scanned using dr. web. here is the log for that:

autorun.inf;e:;Probably Win32.HLLW.Autoruner.corrupted;Moved.;
ikowin32.exe;c:\documents and settings\bryan_2\start menu\programs\startup;Trojan.Botnetlog.11;Deleted.;
braviax.exe( 1);C:\!KillBox;Trojan.Fakealert.5013;Deleted.;
braviax.exe( 2);C:\!KillBox;Trojan.Fakealert.5013;Deleted.;
braviax.exe( 3);C:\!KillBox;Trojan.Fakealert.5013;Deleted.;
wisdstr.exe;C:\!KillBox;Trojan.Fakealert.4747;Incurable.Moved.;
SDFix2.exe\SDFix\apps\Process.exe;C:\Program Files\SDFix2.exe;Tool.Prockill;;
SDFix2.exe;C:\Program Files;Archive contains infected objects;Moved.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0006160.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006162.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006171.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006173.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.Fakealert.5013;Deleted.;
A0006174.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006179.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006180.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006181.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006183.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.Fakealert.5013;Deleted.;
A0006184.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.Fakealert.5013;Deleted.;
A0006185.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006190.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006191.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
A0006192.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10;Trojan.NtRootKit.3206;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP10\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0006389.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006390.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006391.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006403.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006414.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006415.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006451.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006458.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006459.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006464.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006465.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006466.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006468.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006469.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006470.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.NtRootKit.3206;Deleted.;
A0006471.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.DownLoad.41506;Deleted.;
A0006477.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006478.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006479.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.4747;Incurable.Moved.;
A0006485.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006486.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006514.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
A0006515.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11;Trojan.Fakealert.5013;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP11\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0006540.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006541.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006566.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006567.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP12;Trojan.Fakealert.5013;Deleted.;
A0006596.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP14;Trojan.Fakealert.5013;Deleted.;
A0006597.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP14;Trojan.Fakealert.5013;Deleted.;
A0006602.cpl;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP14;Trojan.Fakealert.5006;Deleted.;
A0006629.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5013;Deleted.;
A0006630.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5013;Deleted.;
A0006635.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.DownLoad.41506;Deleted.;
A0006636.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5013;Deleted.;
A0006638.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.DownLoad.41506;Deleted.;
A0006639.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.NtRootKit.3206;Deleted.;
A0006640.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.NtRootKit.3206;Deleted.;
A0006641.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.NtRootKit.3206;Deleted.;
A0006643.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.5015;Deleted.;
A0006655.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Botnetlog.11;Deleted.;
A0006656.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Trojan.Fakealert.4747;Incurable.Moved.;
A0006657.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15\A0006657.exe;Tool.Prockill;;
A0006657.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP15;Archive contains infected objects;Moved.;
A0004113.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.PWS.Haiuy.28;Deleted.;
A0004116.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.Fakealert.4960;Deleted.;
A0004124.dll;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.DownLoad.45065;Deleted.;
A0004139.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.Fakealert.4511;Deleted.;
A0004140.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.DownLoad.41506;Deleted.;
A0004146.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP8;Trojan.NtRootKit.3206;Deleted.;
A0005142.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.Fakealert.5013;Deleted.;
A0005143.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005147.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005149.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005150.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005154.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.Fakealert.5013;Deleted.;
A0005155.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.Fakealert.5013;Deleted.;
A0005156.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005161.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005162.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005163.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
A0005164.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.DownLoad.41506;Deleted.;
A0005165.exe;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.DownLoad.41506;Deleted.;
A0006157.sys;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9;Trojan.NtRootKit.3206;Deleted.;
MFEX-1.DAT;C:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP9\snapshot;Trojan.NtRootKit.3206;Deleted.;
A0093913.exe/file.exe\data003;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624\A0093913.exe/file.exe;Trojan.Popuper.14493;;
A0093913.exe/file.exe\data004;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624\A0093913.exe/file.exe;Trojan.Virtumod.based.21;;
file.exe;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624;Archive contains infected objects;;
A0093913.exe;E:\System Volume Information\_restore{759F4DAB-9385-406C-AB9B-D278CFD8BCAB}\RP624;Archive contains infected objects;Moved.;
tt.exe;E:\Games\torus trooper\tt;Win32.HLLM.Limar.2683;Deleted.;

and that is that. thanks again! :thumbsup:


#8 THRILLHO

THRILLHO
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:12:30 AM

Posted 01 November 2009 - 03:14 PM

need computer. need money

your method is very specific, and leads me to be quite hopeful that this is the place to find the help i need
however, it seems like im left hanging here

weve determined that im infected. now what do i do?
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·