Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirect & blue-screen/reboot virus and malware extravaganza!


  • This topic is locked This topic is locked
3 replies to this topic

#1 mpjohnst

mpjohnst

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 31 August 2009 - 04:30 PM

EDIT: Attached Kaspersky log too... looks like I have both "Trojan.JS.Redirector.b" and "Backdoor.Win32.NewRest.z"... ugh.

########################################################

Ok, here is the deal:No problems until two days ago, the evening of 8/29/09
Returned from vacation, booted up computer, checked email, and walked away...
Came back in room an hour later to find computer had restarted... odd... checked email, and walked away...
Repeat that once more that evening and definitely knew something was up by yesterday morning when browser redirect/reboots hit in full force.
Now I can only use the computer in SAFE mode or it will crash/reboot before loading completely.
Even in safe mode I still get redirected search results.
I cannot use Windows Upgrade.
I can no longer update my virus definitions.
I searched for hours yesterday and ended up running Combofix, SDfix and MBAM to no avail.
Then I spent a few more hours figuring out how to make a bootable USB drive so I could restore from my Windows Home Server (to complicate matters further... I don't have an optical drive).
I finally was able to restore my drive from 8/21 backup (no problems back then), but I STILL HAVE THIS FRIGGIN' BUG! How this thing survives a system restore is beyond me!?
By the way, I also am having trouble completely disabling my AV (Sym Corporate edition from my school)... in safe mode there is no icon to right-click so I just try disabling related .sys processes in Device Manager hidden list but Combofix always told me auto protect was still running.
I'm half inclined to just reformat/reinstall, but that won't help the next person who is infected by this disaster. And, I'm supposedly the computer nerd in the family so it feels too much like cheating anyway!

As clearly requested in the welcome post (but which few people apparently read) I have DDS and RootRepeal logs attached for your viewing pleasure. Kaspersky is currently running but it is only 8% complete after 1.5 hours... I'll have that one ready tomorrow. For now I figured I'd better get in the queue...

Help me Obiwan Kenobi (Alec, not Ewan), you're my only hope!!!!!!

DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Matt at 16:01:42.31 on Mon 08/31/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1271.684 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\NNDVFD00\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.toshibadirect.com/dpdstart
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: BrowserHelper Class: {9a065c65-4ee7-4ddd-9918-f129089a894a} - c:\program files\windows home server\WHSDeskBands.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdmcks.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Home Server Banner: {d73e76a3-f902-45bd-8fc8-95ae8e014671} - c:\program files\windows home server\WHSDeskBands.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [BitComet] "c:\program files\bitcomet\BitComet.exe"
uRun: [PlaxoUpdate] c:\program files\plaxo\3.22.0.7\PlaxoHelper_en.exe -a
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
uRun: [PlaxoSysTray] c:\program files\plaxo\3.22.0.7\PlaxoSysTray.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TFncKy] TFncKy.exe
mRun: [OmniPass] c:\program files\softex\omnipass\scureapp.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [AcronisTrueImage Monitor] "c:\program files\acronis\trueimage\TrueImageMonitor.exe"
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\timeleft.lnk - c:\program files\timeleft3\TimeLeft.exe
StartupFolder: c:\docume~1\matt\startm~1\programs\startup\webmon.lnk - c:\program files\webmon\WebMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\windows\installer\{21e49794-7c13-4e84-8659-55bd378267d5}\WHSTrayApp.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1251733133718
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: OPXPGina - c:\program files\softex\omnipass\opxpgina.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\784tva3k.default\
FF - prefs.js: browser.startup.homepage - hxxp://cm.my.yahoo.com/ | https://login.wisc.edu/?appurl=wiscmail.wisc.edu/login | http://www.hotmail.com
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2004-12-28 16384]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2006-2-7 6144]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2006-2-8 32640]
S1 801ec04b;801ec04b;c:\windows\system32\drivers\801ec04b.sys [2009-8-12 105310]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
S1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2006-2-7 5888]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-20 192160]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-20 169632]
S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\matt\locals~1\temp\wzse0.tmp\instal~1.exe --> c:\docume~1\matt\locals~1\temp\wzse0.tmp\INSTAL~1.EXE [?]
S2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-8-3 1807600]
S2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2006-2-7 126976]
S2 WHSConnector;Windows Home Server Connector Service;c:\program files\windows home server\WHSConnector.exe [2009-4-20 335728]
S2 xwoarh;xwoarh;c:\windows\system32\drivers\xwoarh.sys [2009-8-31 175616]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-31 102448]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090830.005\naveng.sys [2009-8-31 84912]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090830.005\navex15.sys [2009-8-31 1323568]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-8-3 115952]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2009-08-31 15:50 <DIR> --d----- c:\program files\Trend Micro
2009-08-31 15:14 170 a------- c:\windows\system32\conf.xml
2009-08-31 13:00 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-08-31 12:53 <DIR> --d----- c:\windows\ERUNT
2009-08-31 12:53 <DIR> --d----- C:\SDFix
2009-08-31 12:35 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-31 12:27 229,376 a------- c:\windows\PEV.exe
2009-08-31 12:27 161,792 a------- c:\windows\SWREG.exe
2009-08-31 12:27 98,816 a------- c:\windows\sed.exe
2009-08-31 12:27 <DIR> --ds---- C:\ComboFix
2009-08-31 11:26 175,616 a--s---- c:\windows\system32\drivers\xwoarh.sys
2009-08-21 02:59 <DIR> --d----- C:\Windows Home Server Drivers for Restore
2009-08-15 13:50 <DIR> --d----- c:\program files\TimeLeft3
2009-08-15 13:50 <DIR> --d----- c:\docume~1\matt\applic~1\NesterSoft
2009-08-13 02:27 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-12 19:31 105,310 a------- c:\windows\system32\drivers\801ec04b.sys
2009-08-05 09:48 <DIR> --d----- c:\docume~1\matt\applic~1\Windows Home Server
2009-08-05 01:34 <DIR> --d----- c:\program files\Windows Home Server
2009-08-05 00:48 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-08-04 22:06 162,205 a------- c:\windows\Aspire easyStore Home Server Software Update Uninstaller.exe
2009-08-04 22:06 <DIR> --d----- c:\program files\Aspire easyStore Home Server Software Update

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-03-22 10:29 47,360 a------- c:\docume~1\matt\applic~1\pcouffin.sys
2008-12-11 11:58 60,744 a------- c:\documents and settings\matt\g2mdlhlpx.exe
2006-10-02 17:23 98,848 a------- c:\docume~1\matt\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 16:02:20.04 ===============


RootRepeal

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 16:04
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00002129
Image Path: \Driver\00002129
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBA18C000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal[1].sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal[1].sys
Address: 0xB9136000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\a4a1b556.exe
Status: Allocation size mismatch (API: 131072, Raw: 0)

Path: C:\WINDOWS\system32\drivers\xwoarh.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\matt\local settings\temp\~df1cbe.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\matt\local settings\temp\~df6406.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\matt\local settings\temp\~df9aba.tmp
Status: Allocation size mismatch (API: 131072, Raw: 16384)

Path: c:\documents and settings\matt\local settings\temp\~dffa8c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20090830.005\EraserUtilRebootDrv.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Matt\Local Settings\Application Data\Mozilla\Firefox\Profiles\784tva3k.default\Cache\441ABEDCd01
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xf75bc028

#: 041 Function Name: NtCreateKey
Status: Hooked by "a347bus.sys" at address 0xf75bbfe0

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xf75afb00

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xf75b05dc

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bc120

#: 116 Function Name: NtOpenFile
Status: Hooked by "a347bus.sys" at address 0xf75afb40

#: 119 Function Name: NtOpenKey
Status: Hooked by "a347bus.sys" at address 0xf75bbfa4

#: 160 Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xf75b05fc

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xf75bc076

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xf75bb550

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a017da8]
Process: System Address: 0x89ba3f30 Size: 212

Object: Hidden Code [ETHREAD: 0x8a04fda8]
Process: System Address: 0x89ba0e40 Size: 448

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x89ba0840 Size: 856

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a4833f0 Size: 11

Object: Hidden Code [Driver: BeepȄఈ灐畳䆠, IRP_MJ_CREATE]
Process: System Address: 0x89ba1f00 Size: 260

Object: Hidden Code [Driver: BeepȄఈ灐畳䆠, IRP_MJ_CLOSE]
Process: System Address: 0x89ba1f00 Size: 260

Object: Hidden Code [Driver: BeepȄఈ灐畳䆠, IRP_MJ_READ]
Process: System Address: 0x89ba1f00 Size: 260

Object: Hidden Code [Driver: BeepȄఈ灐畳䆠, IRP_MJ_WRITE]
Process: System Address: 0x89ba1f00 Size: 260

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x8a34c8a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a34c798 Size: 99

Object: Hidden Code [Driver: 00002129, IRP_MJ_CREATE]
Process: System Address: 0x89ba0df0 Size: 42

Object: Hidden Code [Driver: 00002129, IRP_MJ_READ]
Process: System Address: 0x89ba0df0 Size: 42

Object: Hidden Code [Driver: 00002129, IRP_MJ_WRITE]
Process: System Address: 0x89ba0df0 Size: 42

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a1cef40 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x89b662a8 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a1a4b00 Size: 11

Object: Hidden Code [Driver: , IRP_MJ_READ]
Process: System Address: 0x89ea0860 Size: 11

Object: Hidden Code [Driver: MsfsЅఆ䵃慖, IRP_MJ_READ]
Process: System Address: 0x8a1e5ad8 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x8a1e6ad0 Size: 11

Object: Hidden Code [Driver: CdfsЅణ浍瑓�訛(, IRP_MJ_READ]
Process: System Address: 0x8a1c1dd8 Size: 11

==EOF==

Attached Files


Edited by mpjohnst, 31 August 2009 - 07:28 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:55 PM

Posted 15 September 2009 - 02:57 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 mpjohnst

mpjohnst
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:55 PM

Posted 15 September 2009 - 03:35 PM

Sorry, I couldn't wait any longer with my work demends... I reformatted and reinstalled XP. So, case closed, but not technically resolved I guess.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:55 PM

Posted 15 September 2009 - 07:47 PM

Hello

Thank you for posting back. Sometimes a reformat and reinstall is the best and quickest solution. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please start a new topic.

Happy computing,

Orange Blossom :(
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users