Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please help...Haxdoor E, Security Tool


  • This topic is locked This topic is locked
5 replies to this topic

#1 frostybaby13

frostybaby13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 05 October 2009 - 01:10 PM

Hi guys! Usually I have had luck resolving my own issues reading the help for others, but this situation is so nasty - all the tools have been disabled, so I hope someone can help. Thanks in advance!

I'm running on my desktop, Windows XP. Noticed yesterday, my anti-virus program CA reported Haxdoor E in its quick scan mode...

Haxdoor E , Backdoor , Key "hkey_local_machine\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list" value "c:\windows\explorer.exe" , -1

I immediately clicked for Mbam and it wasn't working. Went to run a full CA scan, when I noticed it had been partially disabled - and told me to reboot to get it going again. I did, and once my computer came back on I spotted the Security Tool icon, and the many 'false alert' warnings. Also, my desktop had gone completely black with no icons. I still have the taskbar at the bottom, but that's all.

I read through many suggestions of things to try when Mbam won't run, tried to run in safe mode, tried renaming, in neither of those cases will Mbam or DrWebCureit work at all. I then tried running the rootkit scan to compare with a list of offending files - didn't see any matches. I downloaded Process Explorer to try and get the Security Tool deleted, and I was able to locate and delete the 'security tool' file... (named Run Dll as App) but as soon as I reboot my computer, it pops up again and the desktop is still iconless, mbam still disabled.

*edit to add 'haxdoor alert' from CA.

Edited by frostybaby13, 05 October 2009 - 01:39 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:59 PM

Posted 06 October 2009 - 08:33 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

----------------------------------

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

Also try: right-click on rootrepeal.exe and rename it to tatertot.scr
------------------------------------------------------------



Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 frostybaby13

frostybaby13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 06 October 2009 - 09:38 PM

Hi, thank you so much for your time helping! :thumbsup:

Here's the info you requested. PEEKBAT LOG:

Volume in drive C is HP_PAVILION
Volume Serial Number is 9CE9-DC28

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/09/2004 11:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/09/2004 11:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/09/2004 11:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 134,936,219,648 bytes free



Now here's the ROOT REPEAL LOG:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 21:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5918000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7130
Image Path: \Driver\PCI_PNP7130
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1484000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkb.sys
Image Path: spkb.sys
Address: 0xB9EAA000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\~df763c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dfac8d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~df3878.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~df2697.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spkb.sys" at address 0xb9eab0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkb.sys" at address 0xb9ec8ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkb.sys" at address 0xb9ec9030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spkb.sys" at address 0xb9eab0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkb.sys" at address 0xb9ec9108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkb.sys" at address 0xb9ec8f88

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\kmxagent.sys" at address 0xb5cb7ce8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spkb.sys" at address 0xb9ec919a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb34270b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_CREATE]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_CLOSE]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_READ]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_WRITE]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_CLEANUP]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_PNP]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CREATE]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CLOSE]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_POWER]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_PNP]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_READ]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_PNP]
Process: System Address: 0x8a8e0500 Size: 121

==EOF==

As for my personal progress… I was able to run the SuperAntiSpyware program in safe mode, and get the logs. I ran it, it found 1 in memory and about 5 in registry. When I let it quarantine and reboot - Windows would not start. It made me select “last known good config”. So I went back into safe mode and ran it again, and those same files it had quarantined before were there. I ran it several times in a row, always checking if I could get back into Windows normally after running it (no) and was always prompted to go back to last known good configuration.

The only rule against posting logs is the combo fix, so I am assuming it’s okay to post this one for the added info of infected files that won‘t seem to budge. If not this info should not be included, I’ll remove.
(this is the shortest one -a custom scan- I ran to highlight the ‘problem files’ that have appeared during each run.

Application Version : 4.29.1002

Core Rules Database Version : 4146
Trace Rules Database Version: 2076

Scan type : Custom Scan
Total Scan Time : 00:07:04

Memory items scanned : 239
Memory threats detected : 1
Registry items scanned : 6689
Registry threats detected : 5
File items scanned : 0
File threats detected : 1

Adware.Vundo/Variant[1004]
C:\WINDOWS\SYSTEM32\BAHEZIDO.DLL
C:\WINDOWS\SYSTEM32\BAHEZIDO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{6584587c-6110-43ef-912c-1d24d34feb6f}
HKCR\CLSID\{6584587C-6110-43EF-912C-1D24D34FEB6F}
HKCR\CLSID\{6584587c-6110-43ef-912c-1d24d34feb6f}\InprocServer32
HKCR\CLSID\{6584587c-6110-43ef-912c-1d24d34feb6f}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#suyegonuj



Thanks again! :D

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:59 PM

Posted 07 October 2009 - 05:23 PM

Now that you were successful in creating those two logs you need to post them in our HJT forum:
First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 frostybaby13

frostybaby13
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:59 PM

Posted 19 October 2009 - 12:10 AM

To the people who have been able to beat the "mbam won't run after install, exe is missing, mbamgui.exe file in it's place" How were you able to solve the problem??? I've read a few Security Tool help me posts, and several people found a work around, so I'm hopeful one exists.

I'm still patiently waiting for a response in the other hijacks forum, meanwhile I have new information - but it would be log bumping to post it there - whereas here I've already been helped (thanks again :D) and this added update info might help others who are experiencing the same confusion!

My step by step process keeping Security Tool at bay... till today =/

I thought I had it beaten to a managable level while I waited... by installing SuperAntiSpyware AFTER the Security Tool fiasco. By some miracle - it worked, using the "alternate start" in safe mode. The most visible signs of Security Tool were gone. All the malware removal tools were still disabled, a new "administrator" account had appeared in my login when I checked in safemode, the SAS scan had it narrowed to a single file in the memory and it's pair in a file - when I'd manually find that file and try to delete it - it said I didn't have access permission. When I checked access permission by right clicking properties in safe mode, it said I DID. But I couldn't delete it.

This meant, anytime I used highspeed to connect to the internet - Security Tool would reappear. Using a different set of numbers, as it's usually a string 8097489765.exe, each time. Each time that happened, I followed the same steps.
1. Open Process Explorer and kill it if it had activated.
2. Delete it from registry HKCU/Software/SecurityTool HKLM/Software/Microsoft/Windows/CurrentVersion/Run/8794839873 <--whatever the current name
3. Reboot in safe, run SuperAntiSpyware from their Alternate Start method and get those newbies taken care of.
4. When SAS asked to reboot, Windows would never let me back into it without choosing "last known good config" so I would, knowing viruses could hide in the memories, and knowing that's the particular file that continues to pop up no matter the removal tools I use - I'd choose it.

So Windows would pop back open, I'd have my desktop back, no visible Security Tool flashing - and I could even connect to the internet using dialup without any kind of virus flair ups. However, when I had to use satellite to update or such - this would all happen again.

Today, a large kink which may drive me to drinkin' ! Saw the signs of Security Tool upon a reboot. Went for Process Explorere - oop, wouldn't open. Oh no!!! Rebooted in Safe mode, clicked SAS 'alternate start' OH NO - not working either!!! :flowers: I redownloaded SAS, and tried it again - along with rename for good measure, same problem.

I'm convinced, if only I could get ONE malware removal tool to work, I could keep this virus in check until the situation can hopefully be resolved. If anyone -I mean regular posters, not begging the experts who deal case by case- has found a way to get MBAM, or Superantispyware, Drwebcureit, any of those guys to run - despite this Security Tool scourge - please let us know...Step by step!

Thanks so much! You guys rock! :thumbsup:

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,995 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:59 PM

Posted 24 October 2009 - 12:28 AM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/262924/security-tool-haxdoor-e-referred-here/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take a few more days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users