Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Advanced Virus Scanner has taken over my laptop, MAJOR infection


  • This topic is locked This topic is locked
26 replies to this topic

#1 RealTalk

RealTalk

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 05 October 2009 - 10:26 PM

http://www.bleepingcomputer.com/forums/t/261649/advanced-virus-remover-has-taken-over-my-lap-top/

I was online today on my laptop, and my pages started going really slow all of a sudden, then when i tried to end task to close them, it closed out and changed my background to something that said something like adware has taken over your computer, run your antivirus software to fix it. Or something like that, i Clicked my virus scanner but it wouldnt load, so i tried to restart my computer

Every time i restart my computer normally, it just goes to a blank screen. It shows my normal background, but absolutely nothing loads. If i try to do control alt delete, it says task manager has been disabled, then tries to load up the advanced virus scanner and do a scan.

So i looked some stuff up and found instructions on how to use malwarebytes to get rid of it. Downloaded malwarebytes on a different computer (the one im using now), turned on my laptop in safe mode, and moved malwarebytes onto the laptop to run it. Installation worked fine, and i thought it was going to work. So i clicked quick scan, and when i did it just closed the program and didnt scan. Then i tried to do a system restore, but when i click system restore it says its disabled by the administrator (which its not, somehow Advanced Virus remover has done this). Tried to load up malwarebytes again, and it too is disabled by the administrator.

Tried to load up in the last known configuration that works, and it basically just sat on the blue loading windows screen and nothing happened.

I am out of ideas, does anyone have anything? This is definitly the worst ive ever had. I use that laptop for school so the sooner i can get it working again the better.

someone please help, or at least let me know that theres nothing that can be done if thats the case, i need this computer to be useable for school, right now if no one helps me i think my only options are reinstalling windows or paying an assload of money for some expert to fix it

---------

That is the first post I made about it, and instructions I was given that eventually netted me a log i was able to get. Here is the log:

Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP256.tmp\ZAP256.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP289.tmp\ZAP289.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F.tmp\ZAP2F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4D.tmp\ZAP4D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D.tmp\ZAP5D.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP74.tmp\ZAP74.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\66b1d8e81a20b4b541ab3e558f2fd638

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 08:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 20:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

-----------------

I was unable to get a DDS/HJT log to work, when i double clicked on the file he told me to download, it came up with a black screen that looked like it was starting to run, then just dissapeared. I could keep double clicking to get that same effect, but i dont think it was making any progress towards anything.

----------------

Scanned the forums, and im pretty sure i have the same problem as this guy had:

http://www.bleepingcomputer.com/forums/t/250347/major-infection-multiple-fake-antivirus-programs-task-manager-disabled-unable-to-run-scans-or-open-most-programs/

And it looks like he ended up having to reformat his drive. If thats all i can do to save my computer, can you just give me some instructions on what exactly to do? I have my windows xp disc that came with my lap top so i should be able to do it if needed.

I have a lot of things on that computer though, so if its at all possible to recover the computer normally id love to. Just tell me what to do, this is really stressful. Never had anything like this one.

BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 06 October 2009 - 07:16 AM

Hi RealTalk,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning with another tool, updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • Go to start > Run copy/paste the following line in the run box and click OK.

    sc config eventlog start= disabled

  • Important: Reboot the computer.

  • Download RootRepeal.exe from one of these download locations and save it on the C drive:
    http://download.bleepingcomputer.com/rootr.../RootRepeal.exe
    http://ad13.geekstogo.com/RootRepeal.exe
    http://rootrepeal.psikotick.com/RootRepeal.exe
    • Open Posted Image.
    • Click the Posted Image tab.
    • Click the Posted Image button.
    • Check all seven boxes: Posted Image
    • Click Ok.
    • Check the box for your main system drive (Usually C:), and press Ok.
    • Allow RootRepeal to run a scan of your system. This may take some time.
    • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
  • We need to run the tool with the following command to fix some malware related changes.
    Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

    "%userprofile%\desktop\win32kdiag.exe" -f -r

    When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

  • This time we want to run ComboFix. This is a major step. Please be precise and make sure rename and save it on your desktop and let it download and install the Recovery Console.

    Download Combofix from any of the links below. You must rename it to far.exe before saving it. Save it to your desktop.

    Link 1
    Link 2
    Link 3

    Posted Image


    Posted Image
    --------------------------------------------------------------------
    Disable your AntiVirus and AntiSpyware applications so that they remain disabled after ComboFix restarts the computer otherwise Combofix might not run after reboot to do the job. (Information on A/V control HERE)

    Double click on renamed ComboFix & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by farbar, 06 October 2009 - 07:21 AM.


#3 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 October 2009 - 12:46 PM

Thank you for the help.

Ok i was able to get everything to work up until step 5. Keep in mind that the only way i can access anything on my computer is in safe mode. If i sign into it normally, i just get bogus error messages and nothing on my desktop loads. Nothing else, including task manager works.

In safe mode the little avast icon doesnt appear in the bottom right, so i dont know how to disable on access protection. I followed these directions to delay its start up, but when i went to run combo fix it told me that avast on access protection was running and that it could damage my computer to proceed, so i exted out and shut my laptop down. What do you reccomend doing now? Im hesitant to just delete avast because i cant redownload it until this whole mess is over with, but if thats whats best, ill do that. One other question, i saved it as "far.exe", but i was a bit confused because the written directions say to save it as fix.exe, but the picture says to save it as Combo-Fix.exe. Which one is it?

Here are the logs i got.

ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 13:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF8004000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8B0B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP4300
Image Path: \Driver\PCI_PNP4300
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7C1C000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spph.sys
Image Path: spph.sys
Address: 0xF84A5000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: c:\windows\system32\bulawasi.exe
Status: Allocation size mismatch (API: 327680, Raw: 196608)

Path: C:\WINDOWS\system32\gasfkyfpxvyqxm.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyhbostixt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyivnmrsvp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkytvpiqlte.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyykrirnsn.dll
Status: Invisible to the Windows API!

Path: c:\windows\system32\popujubi.exe
Status: Allocation size mismatch (API: 262144, Raw: 196608)

Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB902400\KB902400
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB912945\KB912945
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB913580\KB913580
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB920213\KB920213
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB924496\KB924496
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB925454\KB925454
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB928090\KB928090
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB929338\KB929338
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB931768\KB931768
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB931784\KB931784
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933566\KB933566
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB937143\KB937143
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB939653\KB939653
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB942615\KB942615
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB943460\KB943460
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB944533\KB944533
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Options\CABS\CABS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Options\Install\Install
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkyoirxngio.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\66b1d8e81a20b4b541ab3e558f2fd638
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP256.tmp\ZAP256.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP289.tmp\ZAP289.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F.tmp\ZAP2F.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4D.tmp\ZAP4D.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D.tmp\ZAP5D.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP74.tmp\ZAP74.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\News\News
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian!\Local Settings\Apps\2.0\Y5YBRY1E.0EA\575GLNQW.4BH\manifests\clickonce_bootstrap.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Brian!\Local Settings\Apps\2.0\Y5YBRY1E.0EA\575GLNQW.4BH\manifests\clickonce_bootstrap.exe.manifest
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spph.sys" at address 0xf84a60e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spph.sys" at address 0xf84c3ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spph.sys" at address 0xf84c4030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spph.sys" at address 0xf84a60c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spph.sys" at address 0xf84c4108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spph.sys" at address 0xf84c3f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spph.sys" at address 0xf84c419a

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkyykrirnsn.dll]
Process: svchost.exe (PID: 444) Address: 0x00820000 Size: 57344

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x82f6d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x82b591f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_CREATE]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_CLOSE]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_READ]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_WRITE]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_CLEANUP]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: UdfsЅ఍䵃慄$歶 4, IRP_MJ_PNP]
Process: System Address: 0x82c6b1f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CREATE]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CLOSE]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_POWER]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_PNP]
Process: System Address: 0x82da01f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x82daa500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x82e911f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x82f6f1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_CREATE]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_CLOSE]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_POWER]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: KR10N, IRP_MJ_PNP]
Process: System Address: 0x82f6e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x82deb1f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x82b511f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x82b511f8 Size: 121

Hidden Services
-------------------
Service Name: gasfkypqqhkdqq
Image Path: C:\WINDOWS\system32\drivers\gasfkyoirxngio.sys

==EOF==

============================================================

Running from: C:\Documents and Settings\Administrator\desktop\win32kdiag.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB902400\KB902400

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB913580\KB913580

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944533\KB944533

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP16A.tmp\ZAP16A.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP256.tmp\ZAP256.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP256.tmp\ZAP256.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP271.tmp\ZAP271.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP289.tmp\ZAP289.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP289.tmp\ZAP289.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2A9.tmp\ZAP2A9.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F.tmp\ZAP2F.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2F.tmp\ZAP2F.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4D.tmp\ZAP4D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4D.tmp\ZAP4D.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D.tmp\ZAP5D.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP5D.tmp\ZAP5D.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP74.tmp\ZAP74.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP74.tmp\ZAP74.tmp

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB8.tmp\ZAPB8.tmp

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\temp\temp

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\assembly\tmp\tmp

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Config\Config

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Debug\UserMode\UserMode

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\chsime\applets\applets

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp\applets\applets

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imejp98\imejp98

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\ime\shared\res\res

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109A10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Found mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Installer\OfficeAssistant\Microsoft Office Tools\Microsoft Office Tools

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\classes\classes

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\java\trustlib\trustlib

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\msapps\msinfo\msinfo

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\mui\mui

Found mount point : C:\WINDOWS\Options\CABS\CABS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\CABS\CABS

Found mount point : C:\WINDOWS\Options\Install\Install

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Options\Install\Install

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Config\News\News

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\PIF\PIF

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded

Found mount point : C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\66b1d8e81a20b4b541ab3e558f2fd638

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\SoftwareDistribution\Download\66b1d8e81a20b4b541ab3e558f2fd638\66b1d8e81a20b4b541ab3e558f2fd638

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp



Finished!

Edited by RealTalk, 06 October 2009 - 12:47 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 06 October 2009 - 02:56 PM

Let's wait on running ComboFix. Renaming it is not a problem, let it be far.exe and when we run it please don't hesitate to uninstall Avast or any other security program like Spybot or any other security program running at start up. Also disable Windows defender too if it is installed.

There are multiple rootkits and rogue infections and we have to take them one by one. Avast and many other antiviruses can't do anything about them as they need special treatment.

You can do all the following steps in Safe Mode:
  • Please download mbr.exe from the following link and save it to your desktop: http://www2.gmer.net/mbr/mbr.exe
    • Double click mbr.exe to run it. You will see a very flash of a "dos" box then disappears. This is normal.
    • The tool creates a log (mbr.log) on your desktop. Copy and paste the content of that log to your reply.
  • We need to scan the system with this special tool.
    • Please download Junction.zip and save it.
    • First unzip. If it is extracted/unzipped to a folder open the folder and put junction.exe inside it on the desktop. Make sure the file itself is on the desktop. It should look like this: Posted Image
    • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

      cmd /c "%userprofile%\desktop\junction.exe" -s c:\ >log.txt&log.txt

      A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

Edited by farbar, 06 October 2009 - 02:58 PM.
Spelling


#5 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 October 2009 - 03:37 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
kernel: MBR read successfully
BIOS signateure not found

^^^ thats all i got from the MBR thing


Junction v1.05 - Windows junction creator and reparse point viewer
Copyright © 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



Failed to open \\?\c:\\0af239111f1ed783e03290\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\21d580fe7085201c3fdc\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\2f011e7fa1e027f8d4abdc2b09bc0cfa\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\33ca7354e44cd96d5fe0fcb5\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\48cf6e8a363c726195\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\53d1241187078fc656e58af1\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\6064e0805953080dca\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\67e6d1c59bef7e7fd063c2c0748b915b\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\7634e39a71625bb8326b099f339b0b\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\admparse.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\admparse.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\advpack.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\advpack.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\browseui.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\corpol.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\custsat.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\dxtmsft.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\dxtrans.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\extmgr.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\extmgr.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\feeddisc.wav: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\hmmapi.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\hmmapi.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\html.iec: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\html.iec.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\icardie.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\icardie.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\icrav03.rat: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ie4uinit.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ie4uinit.exe.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieakeng.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieakeng.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieakmmc.chm: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieaksie.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieaksie.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieakui.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieakui.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieapfltr.dat: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieapfltr.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iedkcs32.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iedkcs32.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iedw.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iedw.exe.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieencode.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieeula.chm: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieframe.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieframe.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iepeers.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iepeers.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieproxy.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iernonce.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iernonce.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iertutil.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iesetup.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iesetup.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iesupp.chm: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieudinit.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieui.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieui.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieuinit.inf: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ieunatt.exe.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iexplore.chm: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iexplore.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\iexplore.exe.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\imgutil.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inetcorp.iem: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inetcpl.cpl: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inetcpl.cpl.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inetres.adm: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inetset.iem: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\infobar.wav: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inseng.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\inseng.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\install.ins: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\jscript.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\jsproxy.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\licmgr10.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\licmgr10.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msfeeds.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msfeeds.mof: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msfeedsbs.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msfeedsbs.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msfeedsbs.mof: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msfeedssync.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshta.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshta.exe.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtml.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtml.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtml.tlb: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtmled.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtmled.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtmler.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mshtmler.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msls31.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msrating.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\msrating.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\mstime.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\navstart.wav: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\occache.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\occache.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\occache.ini: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\pngfilt.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\popupblk.wav: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\shdocvw.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\shlwapi.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\spmsg.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\spuninst.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\spupdsvc.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\tdc.ocx: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\ticrf.rat: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\update: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\url.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\urlmon.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\urlmon.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\vbscript.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\vgx.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\webcheck.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\webcheck.dll.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\webcheck.ini: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\winfxdocobj.exe: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\winfxdocobj.exe.mui: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\wininet.dll: Access is denied.



Failed to open \\?\c:\\7fe52c8e178d9da67fe911c7f84f6248\wininet.dll.mui: Access is denied.



Failed to open \\?\c:\\8a8d1bfad36a3665bb2434\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\d0f878ff42e865bf2a\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\d6821449e540d080ee8d3f90a77ab7\msxml4-KB927978-enu.log: Access is denied.


...
Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eace8dad8f90332e9a51ff0f30fd95b1_2a776c46-75e5-457b-960c-163ac703e9e9: Access is denied.



Failed to open \\?\c:\\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp: Access is denied.




...

...

...

...

...

.
Failed to open \\?\c:\\e415ec74045d247118b1972b07\msxml4-KB927978-enu.log: Access is denied.



Failed to open \\?\c:\\ef2cef9a6a8af425ddc6e71d44c43575\msxml4-KB927978-enu.log: Access is denied.


..

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Program Files\Avast4\ashServ.exe: Access is denied.


..

...

...


Failed to open \\?\c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe: Access is denied.


...

...

...

...

...

...


Failed to open \\?\c:\\System Volume Information\MountPointManagerRemoteDatabase: Access is denied.


...

...

...

...

..\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

.

...

...

...

...

...

...

...

...

...

...

...

...

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 06 October 2009 - 04:24 PM

We are going to run an updated Malwarebytes. You have to make sure follow the instruction carefully and let it reboot to normal mode when it is instructed. We want to be able to boot to normal mode and do our fixes from there.
  • We need to reset the permissions altered by the malware on some files.
    • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
    • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

      "%userprofile%\desktop\inherit" "c:\\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
      "%userprofile%\desktop\inherit" "c:\\Program Files\Avast4\ashServ.exe"

    • If you get a security warning select Run.
    • You will get a "Finish" popup. Click OK.
    • Do the same for the second line.
  • Please set your system to show file extensions:
    • Go to Start=> My Computer => Control Panel =>Folder Options.
    • Select the View Tab.
    • Uncheck: Hide file extensions for known file types
    • Click Apply and OK.
  • Please update MBAM manually. To do that download mbam-rules.exe.
    • Rename mbam-rules.exe to rules.ex to run it and let it install.
    • Using Windows Explorer (right-click start > Explorer) navigate to the following folder:C"\Program Files\Malwarebyte' Anti-Malware
    • Locate the file mbam.exe and rename it to clear.com then double-click to run it.
    • Wait until it opens up.
    • Select "Perform Quick Scan", then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the MBAM log after running it and removing what it finds, or removing files after reboot.
    Extra Note:
    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately and let it to boot to normal mode.


#7 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 October 2009 - 05:10 PM

dude i love you, it let me sign into windows normally for the first time in a week

some bad news though, it removed 74 things, but i cant find the log anywhere

There were 3 things that it needed to restart to remove, and it did it im guessing, but i loaded up mbam and went under the logs tab, and there is nothing.

Either way though, i am signed in under normal mode, so we can start doing other things i guess, is there a scan i should get you now? I hope we didnt lose any valueble info.

Also, should i avoid turning my laptop off? im going to leave it running until you give me futher instructions, im afraid of turning it off and not being able to get back in.

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 06 October 2009 - 05:36 PM

Great. :(

You can turn off your laptop, but first please run another scan and post the log it makes this time. Please tell me if you have internet connection we need it to run ComboFix next round.

#9 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 October 2009 - 06:11 PM

EDIT: Ugh, after restarting to fix the things it needed to fix after reboot, it looks like things got worse. Before doing the 2nd scan, windows seemed to be fully functional, somehow after restarting all of my icons are gone and i cant move my mouse, at the moment im trying to restart it to see if that helps, but since pressing the shut down button its just sat there. All i can see is my background, the bar at the bottom with start and my quick launch icons, and thats it. After restart ill edit again with where we are at.

EDIT#2: Alright, 2nd restart worked fine. Except that i got a "RUNDLL" error message that said:

"Error loading zesupoma.dll
Acees is denied."

with OK as the only option

Turning it off now and waiting for further directions....

Yes i do have an internet connection. Ive disabled it at the moment in case the virus could spread to other computers on our network, but it does work if needed.

Heres the new log, 22 more things found this time, didnt even use the laptop at all and still it found more stuff.

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/6/2009 7:08:38 PM
mbam-log-2009-10-06 (19-08-38).txt

Scan type: Quick Scan
Objects scanned: 108803
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 3
Registry Values Infected: 6
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zesupoma.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\susalade.dll (Trojan.Vundo) -> Delete on reboot.
\\?\globalroot\systemroot\system32\gasfkyivnmrsvp.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ttool (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pimezezosi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mserv (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zesupoma.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\susalade.dll (Trojan.Vundo) -> Delete on reboot.
\\?\globalroot\systemroot\system32\gasfkyivnmrsvp.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tftp.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.

Edited by RealTalk, 06 October 2009 - 06:23 PM.


#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 06 October 2009 - 06:28 PM

Good job. Now please run it once more, I need to see what remains on the log.

#11 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 October 2009 - 06:55 PM

Here you go.

Avast went off a few times during the scanning this time but i just said no action because you said not to do anything with any other programs.

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/6/2009 7:53:30 PM
mbam-log-2009-10-06 (19-53-30).txt

Scan type: Quick Scan
Objects scanned: 108492
Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zesupoma.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\susalade.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkypqqhkdqq (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pimezezosi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zesupoma.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\susalade.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gasfkyivnmrsvp.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\gasfkyhbostixt.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\gasfkyykrirnsn.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\gasfkyfpxvyqxm.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gasfkytvpiqlte.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gasfkyoirxngio.sys (Rootkit.TDSS) -> Delete on reboot.

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 06 October 2009 - 07:16 PM

Well done. :(

One or more of the identified infections is a backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Some experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We have removed the major part of it and we can still try to clean this machine and I can tell you later on if it looks safe. If you decide to remove the infection please go on with the following steps.


Removal Instructions
  • This time MBAM got to the root of it. I would like you to run MBAM once more and post the log.

  • Please perform the following scan:
    • Download DDS by sUBs from the following links. Save it to your desktop.
    • DDS.scr
    • DDS.pif
  • Double click on the DDS icon, allow it to run. When done it will open two logs:
    • DDS.txt
    • Attach.txt
  • Copy and paste the logs to your reply. No need to attach any of them.

It is too late here and I'm going to sleep now. I see the logs tomorrow and we take it from there.

#13 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 06 October 2009 - 08:35 PM

Thank you so much man, ive never had someone on a forum like this be so helpful.

Damn thats scary. I only use that computer for school papers and for checking sports and video game websites when im too lazy to walk to my pc. Actually im really shocked that it even got a virus in the first place since i hardly ever use the thing.

I disconnected it from the internet when i first got it turned on so its been off of there since, ill try and fix it, we can see how thats going, if its not going well ill just move any important files off of it and reformat. Ideally id not reformat, but if i have to i will.

The network this computer is hooked up to (when it was connected) does have a computer that is used for things that we wouldnt want a backdoor trojan to get ahold of, but none of the other computers in the house have picked up any problems since this one happened. Ill keep scanning them all though just in case. Is there any chance of it spreading like that even after we have have destroyed it? If im putting others that i live with at risk, maybe its best to just reformat. Another thing, i take this computer to my university campus and use it there. Id hate to infect the university network, any chance of that?

Anyway, i did the scans you asked for, the mbam looks a lot better than it did... here you go:

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/6/2009 9:21:53 PM
mbam-log-2009-10-06 (21-21-52).txt

Scan type: Quick Scan
Objects scanned: 108504
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pimezezosi (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\zesupoma.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

------------------------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/25/2006 9:01:42 AM
System Uptime: 10/6/2009 9:23:24 PM (0 hours ago)

Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
Processor: Genuine Intel CPU T2050 @ 1.60GHz | U1 | 1595/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 74 GiB total, 14.47 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel PRO/Wireless 3945ABG Network Connection
Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803E7C1&0&00E2
Manufacturer: Intel Corporation
Name: Intel PRO/Wireless 3945ABG Network Connection
PNP Device ID: PCI\VEN_8086&DEV_4222&SUBSYS_10408086&REV_02\4&2803E7C1&0&00E2
Service: w39n51

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
abgx360 v1.0.1
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11
Anarchy Online Classic Edition
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Instant Messenger
AOL You've Got Pictures Screensaver
Apple Software Update
ArcSoft Software Suite
avast! Antivirus
Bluetooth Stack for Windows by Toshiba
CD/DVD Drive Acoustic Silencer
CDBurnerXP
CleanUp!
ClearType Tuning Control Panel Applet
CloneCD
Deus Ex
DVD-RAM Driver
FreeRIP v3.091
Google Chrome
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
ImgBurn
Intel Graphics Media Accelerator Driver
Intel PRO Network Connections Drivers
Intel PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
iTunes
J2SE Runtime Environment 5.0 Update 4
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
mCore
mDrWiFi
Metamail (Toshiba Registration Utility)
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office OneNote 2003
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Reader
Microsoft Software Update for Web Folders (English) 12
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mXML
mZConfig
Office 2003 Trial Assistant
PIXresizer 2.0.4
Protector Suite 5.4
PSP Grader v005 - Lite
PSP ISO Compressor
Quicken 2006
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
sat_screensaver_30mb
SD Secure Module
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
SimCity 2000
Sonic DLA
Sonic RecordNow!
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb973514)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
Xfire (remove only)
Yahoo! Messenger
Yahoo! Music Engine
Zuma Deluxe RA

==== End Of File ===========================


DDS (Ver_09-09-29.01) - NTFSx86
Run by Brian! at 21:27:11.81 on Tue 10/06/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.190 [GMT -4:00]

AV: avast! antivirus 4.8.1351 [VPS 091006-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\toshiba\ivp\ism\pinger.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Brian!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Brian!\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {b0523c97-3668-4f10-922d-0c5c2a5fa19e} - libetuka.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [Google Update] "c:\documents and settings\brian!\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\PAVRM.exe
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/table-tennis-tournament/en/"
mRun: [<NO NAME>]
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [PSQLLauncher] "c:\program files\protector suite ql\launcher.exe" /startup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TPSMain] TPSMain.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [avast!] c:\progra~1\avast4\ashDisp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Bar] c:\docume~1\brian!\locals~1\temp\mirasnet.tmp
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\clear.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office2\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
LSA: Notification Packages = scecli psqlpwd zesupoma.dll susalade.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-7-6 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-7-6 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast4\ashServ.exe [2007-1-2 138680]
R2 FdRedir;FdRedir;c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2006-5-5 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\common files\protector suite ql\drivers\filedisk.sys [2006-5-5 33024]
R2 smihlp;SMI helper driver;c:\program files\protector suite ql\smihlp.sys [2006-5-5 3456]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4\ashMaiSv.exe [2007-1-2 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4\ashWebSv.exe [2007-1-2 352920]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\drivers\ioport.sys --> c:\sysprep\drivers\ioport.sys [?]
S3 mbr;mbr;\??\c:\docume~1\admini~1\locals~1\temp\mbr.sys --> c:\docume~1\admini~1\locals~1\temp\mbr.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\pedrv.sys --> c:\sysprep\PEDrv.sys [?]

=============== Created Last 30 ================

2009-10-06 13:37 <DIR> --ds---- C:\far
2009-10-06 13:37 389,120 a------- c:\windows\system32\CF25902.exe
2009-10-06 13:36 389,120 a------- c:\windows\system32\cmd.execf
2009-10-04 23:18 12 a------- c:\windows\dirsaver.ini
2009-09-30 18:23 <DIR> --d-h--- c:\windows\PIF
2009-09-30 17:52 <DIR> --d----- c:\docume~1\brian!\applic~1\Malwarebytes
2009-09-30 17:52 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 17:52 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-30 17:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-30 17:28 0 a------- c:\windows\system32\41.exe
2009-09-30 17:20 80 a------- C:\abcdefg.bat
2009-09-30 17:18 130 a------- c:\windows\system32\grtg
2009-09-09 14:00 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-30 22:13 1,047,076 a--sh--- c:\windows\system32\ledanozo.exe
2009-09-30 22:12 46,592 a--sh--- c:\windows\system32\barijatu.exe
2009-09-09 15:45 72,824 a------- c:\docume~1\brian!\applic~1\GDIPFONTCACHEV1.DAT
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-05 23:11 262,144 a--sh--- c:\windows\system32\bulawasi.exe
2009-07-05 23:11 52,736 a--sh--- c:\windows\system32\filokinu.dll
2009-07-05 23:11 196,608 a--sh--- c:\windows\system32\popujubi.exe
2008-11-01 15:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110120081102\index.dat

============= FINISH: 21:27:38.04 ===============

Edited by RealTalk, 06 October 2009 - 08:37 PM.


#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:05:08 PM

Posted 07 October 2009 - 12:04 AM

Is there any chance of it spreading like that even after we have have destroyed it?


When we cleaned it there is no chance of spreading after we cleaned it.

Another thing, i take this computer to my university campus and use it there. Id hate to infect the university network, any chance of that?

If this computer is used on a university network it is the other way around. It might have picked up the infection from there. And when we are done I'll tell how safe it is. We have still some work to do.

It is time to run Combofix with the instruction given. Please make sure Avast On Access Protection is disabled and remain disabled while ComboFix reboots the computer. It is not enough to delay its startup. If needed even uninstall it.
Another thing is that ComboFix needs Internet Connection to download the Recovery Console. After it rebooted and gave you the log you may enable Avast and disconnect the computer from network.

#15 RealTalk

RealTalk
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 07 October 2009 - 08:58 AM

When i went to run combofix, i got a error message right when the blue "Please wait combo fix is preparing to run" screen came up

Message said:

SWREG.cfxxe - Bad Image
The application or dll c:/windows/system32/susalade.dll is not a vlid windows image. Please check this against your installation diskette.

I clicked ok a few times and the scan went on, its scanning right now

Finished, heres the log:

ComboFix 09-10-06.04 - Brian! 10/07/2009 10:01.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.229 [GMT -4:00]
Running from: c:\documents and settings\Brian!\Desktop\far.exe
AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-3189052832-4293742930-2107519714-1003
c:\windows\system32\41.exe
c:\windows\system32\barijatu.exe
c:\windows\system32\filokinu.dll
c:\windows\system32\ledanozo.exe
c:\windows\system32\susalade.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-06 21:44 . 2009-10-06 21:44 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 22:23 . 2009-10-06 17:20 -------- d--h--w- c:\windows\PIF
2009-09-30 22:20 . 2009-10-06 20:32 -------- d-----w- c:\documents and settings\Administrator
2009-09-30 21:52 . 2009-09-30 21:52 -------- d-----w- c:\documents and settings\Brian!\Application Data\Malwarebytes
2009-09-30 21:52 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-30 21:52 . 2009-10-06 21:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-30 21:52 . 2009-09-30 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 21:52 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-30 21:20 . 2009-09-30 21:20 80 ----a-w- C:\abcdefg.bat
2009-09-09 18:00 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 13:52 . 2007-01-03 03:47 -------- d-----w- c:\program files\Avast4
2009-09-16 20:10 . 2009-05-20 21:02 10 ----a-w- c:\windows\popcinfo.dat
2009-09-11 17:09 . 2008-10-11 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-04 13:10 . 2009-09-04 13:07 -------- d-----w- c:\program files\abgx360
2009-09-04 02:16 . 2009-09-04 02:14 -------- d-----w- c:\documents and settings\Brian!\Application Data\ImgBurn
2009-09-04 01:45 . 2009-09-04 01:45 -------- d-----w- c:\program files\ImgBurn
2009-09-04 01:29 . 2009-09-04 01:29 -------- d-----w- c:\program files\SlySoft
2009-08-26 21:20 . 2009-08-26 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-26 12:45 . 2009-08-26 12:45 -------- d-----w- c:\program files\PIXresizer
2009-08-26 05:11 . 2006-01-19 04:53 -------- d-----w- c:\program files\Yahoo!
2009-08-24 12:37 . 2009-08-24 12:37 -------- d-----w- c:\documents and settings\Brian!\Application Data\Canneverbe_Limited
2009-08-24 12:37 . 2009-08-24 12:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2009-08-24 12:37 . 2009-08-24 12:36 -------- d-----w- c:\program files\CDBurnerXP
2009-08-23 15:13 . 2006-12-25 14:02 72824 ----a-w- c:\documents and settings\Brian!\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-23 15:03 . 2009-08-23 15:03 -------- d-----w- c:\program files\MSBuild
2009-08-23 15:02 . 2009-08-23 15:02 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2006-01-19 02:02 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2006-01-19 02:01 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2006-01-19 02:03 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 03:11 . 2009-07-06 03:11 262144 --sha-w- c:\windows\system32\bulawasi.exe
2009-07-06 03:11 . 2009-07-06 03:11 196608 --sha-w- c:\windows\system32\popujubi.exe
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-01-17 486856]
"Google Update"="c:\documents and settings\Brian!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-08-23 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-05-06 30208]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-17 761945]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]
"NDSTray.exe"="NDSTray.exe" [BU]
"TFncKy"="TFncKy.exe" [BU]
"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office2\Office10\OSA.EXE [2001-2-13 83360]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-1-18 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-05-06 01:48 40448 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\java.exe"=

R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [5/5/2006 10:00 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [5/5/2006 9:59 PM 33024]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [5/5/2006 9:33 PM 3456]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2008-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 22:42]

2009-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600790903-3151073113-1400925087-1006Core.job
- c:\documents and settings\Brian!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-23 15:29]

2009-09-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2600790903-3151073113-1400925087-1006UA.job
- c:\documents and settings\Brian!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-23 15:29]

2006-12-25 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]

2006-12-25 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-01-19 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

BHO-{b0523c97-3668-4f10-922d-0c5c2a5fa19e} - libetuka.dll
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\clear.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-07 10:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(916)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll

- - - - - - - > 'explorer.exe'(3720)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\wdfmgr.exe
c:\program files\TOSHIBA\ConfigFree\NDSTray.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-10-07 10:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-07 14:12

Pre-Run: 15,592,161,280 bytes free
Post-Run: 15,542,693,888 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
231 --- E O F --- 2009-09-11 17:13

Edited by RealTalk, 07 October 2009 - 09:15 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users