Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus or Maleware form hell Suspecting braviax


  • Please log in to reply
4 replies to this topic

#1 mdcello

mdcello

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 01 September 2009 - 01:33 AM

Hi all i hope someone can help me i tried allot things and got lots of information but not yet a solve for the problem .

Well my Symptoms and problems are following -- Google search results getting me redirected happening for a month never did find a solve for that one.

Newest Symptoms started yesterday i mistakenly ignored the little X icon in my icon bar and did my usual activating all programs that start while i sleep.

after waking up this morning i finding out that "Hijack this" --"Avg antivirus"-- "Malewarebyte" "Adware" "Spybot Search and destroy"and Ccleaner wouldnt come on at all i got Ccleaner to work after while. i keep getting the administrator access denied thing even while i safe mode

now i did find Braviax.exe in my taskmanger and online scan revealed beeb.sys to be infected to. I stopped the process went into reg edit and delete the files from windows folder.i no longer can find any traces of it by manual searching for it but my programs still wont come on also i cant uninstall AVG antivirus for some reason so i cant even apply a copy of a good anti virus program on it or use some tools.

Formating the pc is out of the question windows cd broke

Now i am turning to you all i want my pc back creators of those programs need to be shot this is not funny.

Now i did get combo fix to work and here is the log Attached File  log.txt   16.66KB   5 downloads

So if anyone can help me our steer me in the right direction on what to do next? I am going to bed i spend all day on this

oh and i am unable to do the renaming of malewarebyte or hijack this it tells me i got no administrator rights to rename them ><

And System Restore wont work either i got save points but i cant clik them.

Edited by garmanma, 01 September 2009 - 05:36 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:08 PM

Posted 01 September 2009 - 07:28 AM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 mdcello

mdcello
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 01 September 2009 - 01:42 PM

Here is my Rootrepeal Report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/31 14:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xA9C9D000 Size: 749568 File Visible: No Signed: -
Status: -

Name: PCI_PNP2600
Image Path: \Driver\PCI_PNP2600
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA862D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkc.sys
Image Path: spkc.sys
Address: 0xB9EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\schedlgu.txt
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\20b00623-de27-4f83-9153-7741b3992300.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\28884ff4-040a-47d0-ab27-3b5cd212da99.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\e19b8c53-6080-46fe-9bd9-ce13055e75bd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\7b41c1b9-9527-4629-9b4f-c696b90c9175.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Temp\e478d428-e4b5-494b-99ff-8d935f959751.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\ie8updates\ie8updates
Status: Locked to the Windows API!

Path: C:\WINDOWS\WBEM\WBEM
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins
Status: Locked to the Windows API!

Path: C:\WINDOWS\Minidump\Minidump
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\EventCache\EventCache
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1025\1025
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1028\1028
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1031\1031
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1037\1037
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1041\1041
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1042\1042
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\1054\1054
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\2052\2052
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3076\3076
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\3com_dmi\3com_dmi
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\export\export
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\LogFiles\LogFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\ShellExt\ShellExt
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\dhcp\dhcp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\xircom\xircom
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wins\wins
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: c:\documents and settings\apocalypse\local settings\temp\etilqs_vz7unumyij1q5ghjrmje
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\disdn\disdn
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\spool\PRINTERS\PRINTERS
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\snmp\snmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\mui\dispspec\dispspec
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\sample\sample
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\inf\IEM\0409\0409
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\batch\batch
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: c:\documents and settings\all users\application data\avg8\antispam\rkd
Status: Size mismatch (API: 4678, Raw: 4570)

Path: c:\documents and settings\all users\application data\avg8\cfg\sched.cfg
Status: Size mismatch (API: 179644, Raw: 179610)

Path: C:\WINDOWS\system32\wbem\mof\bad\bad
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\wbem\mof\good\good
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemcust\oemcust
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemhw\oemhw
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\oobe\html\oemreg\oemreg
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Recent\Recent
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP165.tmp\ZAP165.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP249.tmp\ZAP249.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: c:\documents and settings\apocalypse\local settings\application data\google\chrome\user data\local state
Status: Size mismatch (API: 5280, Raw: 5279)

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Sqm\Sqm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Apocalypse\Local Settings\Apps\2.0\LJ10LPWZ.LW5\6PCXCA16.CVQ\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Apocalypse\Local Settings\Apps\2.0\LJ10LPWZ.LW5\6PCXCA16.CVQ\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Apocalypse\Local Settings\Apps\2.0\LJ10LPWZ.LW5\6PCXCA16.CVQ\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Apocalypse\Local Settings\Apps\2.0\LJ10LPWZ.LW5\6PCXCA16.CVQ\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Collab\Collab
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Acrobat\9.0\Forms\Forms
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Adobe\Flash Player\AssetCache\FCDTYV9R\FCDTYV9R
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\#SharedObjects\BYC4G5Q4\BYC4G5Q4
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xba11887e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkc.sys" at address 0xb9ec5ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkc.sys" at address 0xb9ec6032

#: 119 Function Name: NtOpenKey
Status: Hooked by "spkc.sys" at address 0xb9ea70c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkc.sys" at address 0xb9ec610a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkc.sys" at address 0xb9ec5f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xba118bfe

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a70b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89b5c1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a69f1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x89c521f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a70e1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x893321f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x893321f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x893321f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x893321f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x893321f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x893321f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x89c051f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x890e51f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x89083500 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x89083500 Size: 121

==EOF==

#4 mdcello

mdcello
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:08 PM

Posted 01 September 2009 - 03:22 PM

OK i just got malewarebyte to work by instaling it over the old one however it wont let me update.

Hijackthis is working after i change the install directory here the log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:20:37 PM, on 8/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Apocalypse\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Apocalypse\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Documents and Settings\Apocalypse\Desktop\testhi\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.net-studio.org
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 3858 bytes

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:08:08 PM

Posted 01 September 2009 - 05:41 PM

Please repost your log

I'm sorry, but you need to repost you log.

I have moved your Topic that included a HijackThis/DDS log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis/DDS logs analysis. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.

We understand that dealing with malware issues and getting help can be frustrating but improperly posting a log usually happens if you missed the directions we provide to those who require malware removal assistance. Prior to posting a log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.

Please complete all the steps in the Guide. If you can't perform a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Prep Guide to post a new log.

Please do not post any more logs to this topic as it just a placeholder to be used to help you post the information in the proper way and in the proper forum. Going forward, HijackThis logs should only be posted in the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal in order to make it easier for our helpers to respond to your topic

The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.

When your new DDS/HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.

Thanks for your cooperation and good luck.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users