Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DDS and Root Repeal Attached


  • This topic is locked This topic is locked
4 replies to this topic

#1 xJimba1

xJimba1

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Rahway, NJ
  • Local time:08:04 AM

Posted 07 October 2009 - 08:19 AM

Hello, Garmanma was nice enough to try and help and asked that I continue my posting in this forum. I think most items were cleaned with Malwarebytes, but there are still some left over. Haven't ran anything else after these logs were created. Thanks in advance.

*** DDS ***

DDS (Ver_09-09-29.01) - NTFSx86
Run by Administrator at 8:49:16.62 on Wed 10/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.204 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.morrisville.edu/
mSearchAssistant = hxxp://home.peoplepc.com/search
TB: Viewpoint Toolbar: {f8ad5aa5-d966-4667-9daf-2561d68b2012} - c:\program files\viewpoint\viewpoint toolbar\ViewBar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ibmmessages] c:\program files\ibm\messages by ibm\ibmmessages.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [calc] rundll32.exe c:\docume~1\locals~1\ntuser.dll,_IWMPEvents@0
mRun: [SynTPLpr] "c:\program files\synaptics\syntp\SynTPLpr.exe"
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [BMMGAG] RunDll32 c:\progra~1\thinkpad\utilit~1\pwrmonit.dll,StartPwrMonitor
mRun: [BMMLREF] "c:\program files\thinkpad\utilities\BMMLREF.EXE"
mRun: [EZEJMNAP] "c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe"
mRun: [QCWLICON] c:\program files\thinkpad\connectutilities\QCWLICON.EXE
mRun: [TPHOTKEY] "c:\progra~1\thinkpad\pkgmgr\hotkey\TPHKMGR.exe"
mRun: [TPKMAPHELPER] "c:\program files\thinkpad\utilities\TpKmapAp.exe" -helper
mRun: [HPDJ Taskbar Utility] "c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [DeviceDiscovery] "c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AS00_WPN511] "c:\program files\netgear\wpn511\utility\WPN511.exe" -hide
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [calc] rundll32.exe c:\windows\system32\calc.dll,_IWMPEvents@0
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\zztoy\mbam.exe" /runcleanupscript
mRun: [Mhavo] rundll32.exe "c:\windows\iwuziguqu.dll",Startup
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234395847993
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38190.3241550926
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4.1/jinstall-141-win.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R1 IBMTPCHK;IBMTPCHK;c:\windows\system32\drivers\IBMBLDID.SYS [2004-7-24 2295]
R1 TPPWR;TPPWR;c:\windows\system32\drivers\TPPWR.SYS [2004-7-24 15360]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-7-30 161064]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 NETGEAR_WPN511_SERVICE;NETGEAR WPN511 Wireless Adapter Service;c:\windows\system32\drivers\wpn511.sys [2007-7-31 449888]
S3 ANC;ANC;c:\windows\system32\drivers\ANC.sys [2004-7-24 9600]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2007-7-31 16194]
S3 RayLink;Raytheon RayLink WireLess PCMCIA LAN Adapter Driver;c:\windows\system32\drivers\wlandrv2.sys [2004-7-27 34890]
S4 Mstsipame;Mstsipame; [x]
S4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;"c:\program files\webroot\spy sweeper\spysweeper.exe" --> c:\program files\webroot\spy sweeper\SpySweeper.exe [?]
S4 WRConsumerService;Webroot Client Service;"c:\program files\webroot\webrootsecurity\wrconsumerservice.exe" --> c:\program files\webroot\webrootsecurity\WRConsumerService.exe [?]

=============== Created Last 30 ================

2009-10-06 16:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-10-06 14:34 <DIR> --d----- c:\windows\pss
2009-10-06 14:34 <DIR> --d----- C:\EmergencyUtils
2009-10-06 12:10 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-10-06 11:42 2,709 a------- c:\windows\system32\evebxasus.dat
2009-10-06 11:16 <DIR> --d----- c:\program files\zztoy
2009-10-06 10:36 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-06 10:36 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-06 10:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-05 15:44 25,126 a------- C:\vsoq.exe
2009-10-05 15:43 5,120 a------- C:\efbcmkj.exe
2009-10-05 15:40 <DIR> --d----- c:\program files\CCleaner
2009-10-01 15:59 396,288 a------- C:\HijackThis.exe
2009-10-01 15:39 2,184 a------- c:\windows\system32\wpa.dbl
2009-10-01 13:13 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2009-10-01 11:20 <DIR> --d----- C:\help
2009-09-29 19:15 12,724 a------- c:\windows\pululak.sys
2009-09-29 19:15 11,050 a------- c:\windows\aqurizipeh.lib
2009-09-29 19:15 10,754 a------- c:\windows\ohujuceba._sy
2009-09-28 19:48 120 a------- c:\windows\Ayezuvekanuga.dat
2009-09-28 19:48 0 a------- c:\windows\Ljedoxevokoxaxe.bin
2009-09-27 21:15 16,986 a------- c:\windows\rapyh.ban
2009-09-27 21:15 16,763 a------- c:\windows\falo.bin
2009-09-27 21:15 14,644 a------- c:\windows\bidogoleg.lib
2009-09-27 21:15 13,908 a------- c:\windows\vulones.db
2009-09-27 21:15 12,309 a------- c:\windows\yracybehe.pif
2009-09-27 21:15 11,420 a------- c:\windows\wyvy.dat
2009-09-27 21:15 10,726 a------- c:\windows\ekejavyzig.scr
2009-09-27 15:17 164 a------- C:\install.dat
2009-09-27 12:35 15,630 a------- c:\windows\ybocuzyfu.db
2009-09-27 12:35 15,462 a------- c:\windows\yrykyx.scr
2009-09-27 12:35 14,288 a------- c:\windows\odoha.lib
2009-09-27 12:35 13,106 a------- c:\windows\ysahewe.ban
2009-09-27 12:35 12,881 a------- c:\windows\ojoqebyn.dll
2009-09-27 12:35 12,533 a------- c:\windows\nobid.dat
2009-09-27 12:35 11,309 a------- c:\windows\ynyruqejon.exe
2009-09-27 11:34 16,270 a------- c:\windows\hohawalydi.dat
2009-09-27 11:34 12,900 a------- c:\windows\cagi.lib
2009-09-27 11:34 12,145 a------- c:\windows\roqaw.db
2009-09-25 22:33 <DIR> a-d----- c:\windows\system32\images
2009-09-25 22:27 19,756 a------- c:\windows\furepufen.bat
2009-09-25 22:27 14,281 a------- c:\windows\igagun.dll
2009-09-25 22:27 11,864 a------- c:\windows\uxapacow.scr
2009-09-25 22:27 11,466 a------- c:\windows\inenyz._dl
2009-09-25 22:27 11,283 a------- c:\windows\cijolujyk.dat
2009-09-25 22:27 10,798 a------- c:\windows\nuked._dl
2009-09-25 22:18 46 a------- C:\p2hhr.bat
2009-09-14 21:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\acccore
2009-09-14 21:47 <DIR> --d----- c:\program files\common files\AOL
2009-09-14 21:47 <DIR> --d----- c:\program files\AIM6
2009-09-14 21:47 358 a---h--- C:\IPH.PH
2009-09-14 20:06 627,864 a----r-- c:\windows\system32\drivers\lvrs.sys
2009-09-14 20:06 25,974 a----r-- c:\windows\system32\Repository.reg
2009-09-14 20:05 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-09-14 20:05 195,096 a----r-- c:\windows\system32\lvci11801048.dll
2009-09-14 20:05 66,482 a----r-- c:\windows\system32\lvcoinst.ini
2009-09-14 20:05 41,752 a----r-- c:\windows\system32\drivers\LVUSBSta.sys
2009-09-14 20:05 490,008 a----r-- c:\windows\system32\LVUI2.dll
2009-09-14 20:05 465,432 a----r-- c:\windows\system32\LVUI2RC.dll
2009-09-14 20:05 416,280 a----r-- c:\windows\system32\lvcodec2.dll
2009-09-14 20:05 4,658,584 a----r-- c:\windows\system32\drivers\lvuvc.sys
2009-09-14 20:05 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-09-14 20:05 20,992 a------- c:\windows\system32\dshowext.ax
2009-09-14 20:04 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-09-14 20:04 23,832 a----r-- c:\windows\system32\drivers\lvuvcflt.sys

==================== Find3M ====================

2008-02-08 20:08 14,122,018 a------- c:\program files\kmp player.exe
2007-01-08 14:50 315,624 a------- c:\program files\directx 9.0.exe
2007-01-05 15:44 62,086,456 a------- c:\program files\directx_dec2006_redist.exe
2006-01-02 21:24 11,817,800 a------- c:\program files\GoogleEarthSetup.exe
2004-11-19 16:04 5,707,543 a------- c:\program files\SnoodSetup.exe

============= FINISH: 8:49:42.03 ===============


*** Root Repeal
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 16:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xBAB4D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8DDB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB76D4000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\msdownld.tmp\msdownld.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\speech\speech
Status: Locked to the Windows API!

Path: C:\WINDOWS\ftpcache\ftpcache
Status: Locked to the Windows API!

Path: C:\WINDOWS\setup.pss\setup.pss
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\addins\addins
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\calc.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LocalService\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\NetworkService\ntuser.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB928090\KB928090
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933566\KB933566
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d1\d1
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d2\d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d3\d3
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d4\d4
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d5\d5
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d6\d6
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d7\d7
Status: Locked to the Windows API!

Path: C:\WINDOWS\CSC\d8\d8
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Cache\Adobe Reader 6.0.1\Adobe Reader 6.0.1
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: c:\windows\system32\restore\machineguid.txt
Status: Allocation size mismatch (API: 0, Raw: 8)

Path: C:\WINDOWS\Temp\TempFolder.aau\TempFolder.aau
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaa\TempFolder.aaa
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aab\TempFolder.aab
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aac\TempFolder.aac
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aad\TempFolder.aad
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aae\TempFolder.aae
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaf\TempFolder.aaf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aag\TempFolder.aag
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aah\TempFolder.aah
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aai\TempFolder.aai
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaj\TempFolder.aaj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aak\TempFolder.aak
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aal\TempFolder.aal
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aam\TempFolder.aam
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aan\TempFolder.aan
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aao\TempFolder.aao
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaq\TempFolder.aaq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aar\TempFolder.aar
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aas\TempFolder.aas
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aat\TempFolder.aat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aap\TempFolder.aap
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abz\TempFolder.abz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aca\TempFolder.aca
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acb\TempFolder.acb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acc\TempFolder.acc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acd\TempFolder.acd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ace\TempFolder.ace
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acf\TempFolder.acf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acg\TempFolder.acg
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ach\TempFolder.ach
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aci\TempFolder.aci
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acj\TempFolder.acj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ack\TempFolder.ack
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acl\TempFolder.acl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acm\TempFolder.acm
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acn\TempFolder.acn
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aco\TempFolder.aco
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acp\TempFolder.acp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acr\TempFolder.acr
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acs\TempFolder.acs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.act\TempFolder.act
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acu\TempFolder.acu
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acv\TempFolder.acv
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acw\TempFolder.acw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acx\TempFolder.acx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acy\TempFolder.acy
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acz\TempFolder.acz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ada\TempFolder.ada
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adb\TempFolder.adb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adc\TempFolder.adc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.add\TempFolder.add
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ade\TempFolder.ade
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adf\TempFolder.adf
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adg\TempFolder.adg
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adh\TempFolder.adh
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adj\TempFolder.adj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adk\TempFolder.adk
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adl\TempFolder.adl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adm\TempFolder.adm
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adn\TempFolder.adn
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ado\TempFolder.ado
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adp\TempFolder.adp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adq\TempFolder.adq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adr\TempFolder.adr
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ads\TempFolder.ads
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adt\TempFolder.adt
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adu\TempFolder.adu
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adv\TempFolder.adv
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adw\TempFolder.adw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adx\TempFolder.adx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.ady\TempFolder.ady
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adz\TempFolder.adz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aea\TempFolder.aea
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aeb\TempFolder.aeb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aec\TempFolder.aec
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abh\TempFolder.abh
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abi\TempFolder.abi
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abj\TempFolder.abj
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abk\TempFolder.abk
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abl\TempFolder.abl
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abm\TempFolder.abm
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abn\TempFolder.abn
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abo\TempFolder.abo
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abp\TempFolder.abp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abq\TempFolder.abq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abr\TempFolder.abr
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abs\TempFolder.abs
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abt\TempFolder.abt
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abu\TempFolder.abu
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abv\TempFolder.abv
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abw\TempFolder.abw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abx\TempFolder.abx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abg\TempFolder.abg
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aby\TempFolder.aby
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.acq\TempFolder.acq
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.adi\TempFolder.adi
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aav\TempFolder.aav
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaw\TempFolder.aaw
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aax\TempFolder.aax
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aay\TempFolder.aay
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aaz\TempFolder.aaz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.aba\TempFolder.aba
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abb\TempFolder.abb
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abc\TempFolder.abc
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abd\TempFolder.abd
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abe\TempFolder.abe
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TempFolder.abf\TempFolder.abf
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\chsime\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\CHTIME\Applets\Applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imjp8_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imkr6_1\dicts\dicts
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\shared\res\res
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\0bfb0fd6d1529228f4175fc177388244\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\191c899196624d7a81a735dad2332655\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\88fdd08cff3165ea248229dabb1bb718\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\9093e8d3e790b5dec631e4416d3eb283\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\c9bf12dbe4014749ca9bd94c51618107\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\cadf7c8240793a561791dc3bd3e91a5e\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\6ddf94f5c8129ac27a2cd55cfb9e0783\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\e85f60fa51e40d03873c40d08cf4725c\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\Config\CheckPoint\CheckPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
Status: Invisible to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8330ee40

#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x833e9348

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x833e4460

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x833aa180

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8335d1d8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x833e92d0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8331f130

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8330eeb8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8330ed50

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x833ab148

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8330efa8

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x833df1e8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x833e7d10

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8330e020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x833ee0f8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x833971e8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8330ef30

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x833a9898

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8335e8b0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8330edc8

Stealth Objects
-------------------
Object: Hidden Module [Name: evebxasus.dll]
Process: Explorer.EXE (PID: 1476) Address: 0x03290000 Size: 319488

Object: Hidden Module [Name: evebxasus.dll]
Process: IEXPLORE.EXE (PID: 3468) Address: 0x01950000 Size: 319488

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x82b20898 Size: 1896

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8302ceb0 Size: 336

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x830309a0 Size: 589

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x8302ca40 Size: 162

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x83035b38 Size: 1002

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x83037eb0 Size: 337

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f87198 Size: 3042

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f851b0 Size: 2401

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x82b1e998 Size: 1640

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82b1e920 Size: 1760

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82b1e8a8 Size: 1880

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82b1db68 Size: 448

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82b1daf0 Size: 568

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82b1da78 Size: 688

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82b1da00 Size: 808

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82b1d988 Size: 928

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82b1d910 Size: 1048

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82b1d898 Size: 1168

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x82b1cfa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82b1cf30 Size: 208

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82b1ceb8 Size: 328

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82b1ce40 Size: 448

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x82b1cdc8 Size: 568

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82b1cd50 Size: 688

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82b1ccd8 Size: 808

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82b1cc60 Size: 928

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82b1cbe8 Size: 1048

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x82b1cb70 Size: 1168

==EOF==

BC AdBot (Login to Remove)

 


#2 xJimba1

xJimba1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Rahway, NJ
  • Local time:08:04 AM

Posted 07 October 2009 - 02:28 PM

I am also going to post my Malwarebytes log. These few items just won't go away. Delete after reboot doesn't work...Even after deleting from the registry manually they pop right back. Thanks!

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/7/2009 3:25:01 PM
mbam-log-2009-10-07 (15-25-01).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173264
Time elapsed: 41 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\calc (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\calc.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Administrator\ntuser.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\scandisk.lnk (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

Hello xJimba1,

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Regards,

The weatherman
(Moderator)

Edited by The weatherman, 08 October 2009 - 05:18 PM.


#3 xJimba1

xJimba1
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Location:Rahway, NJ
  • Local time:08:04 AM

Posted 09 October 2009 - 07:49 AM

Sorry for the extra posts, but I was trying to update the info I added and couldn't find an edit feature. In any event, I was able to clear the pc so the call can be closed. Thanks for the help and Im sure I will be posting again.

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:04 PM

Posted 17 October 2009 - 04:05 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:04 PM

Posted 25 October 2009 - 08:59 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users