Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool, Haxdoor E, referred here...


  • Please log in to reply
1 reply to this topic

#1 frostybaby13

frostybaby13

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:50 PM

Posted 07 October 2009 - 09:22 PM

Hello! I appreciate your time and any help offered. :(

I was referred here from the "Am I Infected" section of the forum. I'm copying and pasting the logs I posted there (as I was told).

A synopsis of the trouble: My antivirus showed Haxdoor E, when I rebooted the Security Tool had flooded my computer - symptoms, blank desktop (black) and no icons. Mbam and drweb cuteit won't run in safe nor regular, renaming does not work. Process explorer allowed me to delete the Security Tool file, so I now have my desktop and icons back - but searches continously redirect, fake security alerts continue to try and download, and - I use my computer for gaming, several games (not played online) are behaving strangely, or not able to load expansion packs (installing issues), and mbam & others still disabled. Although I titled my initial post "Haxdoor E, and Security Tool" because those were the names I saw in my CA scan, and the Security Tool program itself - I suspect these might be carrying over from the virus I had several months ago and thought I'd cleared. Going 3 years without any type of trojan or virus and suddenly sprouting several in a few months led me to this conlusion. <--so I'm not sure what to title the virus. Is it the initial "Vundo" I thought I'd cleared months back, is it these new incarnations?

Any help would be greatly appreciated. :(


DDS (Ver_09-09-29.01) - NTFSx86
Run by HP_Administrator at 21:34:11.50 on Wed 10/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1370 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\COMMON~1\AOL\123441~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\123441~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant = hxxp://www.google.com
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [AOL Fast Start] "c:\program files\america online 9.0\AOL.EXE" -b
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [cctray] c:\program files\ca\ca internet security suite\casc.exe
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [CAPPActiveProtection] "c:\program files\ca\ca internet security suite\ca anti-spyware\CAPPActiveProtection.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PCDrProfiler]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [nanufarip] Rundll32.exe "c:\windows\system32\ruhegozi.dll",a
mExplorerRun: [ZboardTray] "c:\program files\ideazon\zboard software\driver\ZboardTray.exe" /autolaunch
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} - hxxp://download.sp.f-secure.com/ols/f-secure-rtm/resources/fslauncher.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {3C25C0DB-6B23-43A7-B43D-5F78401D3F81} = 205.188.146.145
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxdev.dll
Notify: PFW - UmxWnp.Dll
Notify: Zboard - Winlognotif.dll
AppInit_DLLs: c:\windows\system32\webomeru.dll c:\windows\system32\ruhegozi.dll,lanimaye.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: fulebapev - {6f42ebff-22b4-4584-b8fb-3b7d117a67d8} - c:\windows\system32\webomeru.dll
SSODL: tukafakam - {b60d5f16-dbb6-41e7-96ed-c25aff45d3dd} - c:\windows\system32\ruhegozi.dll
STS: kupuhivus: {6f42ebff-22b4-4584-b8fb-3b7d117a67d8} - c:\windows\system32\webomeru.dll
STS: kupuhivus: {b60d5f16-dbb6-41e7-96ed-c25aff45d3dd} - c:\windows\system32\ruhegozi.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli najihate.dll

============= SERVICES / DRIVERS ===============

R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2009-1-5 107512]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-11-18 72696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-2-19 26352]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-2-19 21104]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-2-19 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-2-19 21488]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-2-19 161008]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-2-19 144696]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2009-2-19 128240]
R2 ISD;Intel® 82802 Firmware Hub Device (Intel® Security Driver);c:\windows\system32\drivers\ISECDRV.SYS [2009-2-20 32108]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2008-12-12 1153528]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2008-12-10 797176]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-12-19 297464]
R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-2-19 292080]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-12-12 205304]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-2-19 108368]
S2 oxyogahz;oxyogahz;\??\c:\windows\system32\drivers\mkgwqswuggnm.sys --> c:\windows\system32\drivers\mkgwqswuggnm.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]
S4 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2009-2-19 222448]

=============== Created Last 30 ================

2009-10-07 20:40 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2009-10-07 19:11 2,713 ---sh--- c:\windows\system32\higarebu.exe
2009-10-07 00:42 <DIR> --d----- c:\program files\Interplay
2009-10-06 20:21 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\gnupg
2009-10-06 09:41 552 a------- c:\windows\system32\d3d8caps.dat
2009-10-06 00:22 2,713 ---sh--- c:\windows\system32\foromeva.exe
2009-10-05 20:23 <DIR> --d----- c:\program files\2K Games
2009-10-05 18:42 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-10-05 18:42 443,752 a------- c:\windows\system32\d3dx10_33.dll
2009-10-05 18:42 81,768 a------- c:\windows\system32\xinput1_3.dll
2009-10-05 18:42 3,495,784 a------- c:\windows\system32\d3dx9_33.dll
2009-10-05 18:42 <DIR> --d----- c:\windows\system32\xlive
2009-10-05 18:23 <DIR> --d----- c:\windows\system32\appmgmt
2009-10-05 14:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-05 14:38 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-10-05 14:38 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\SUPERAntiSpyware.com
2009-10-05 14:37 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-10-05 04:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\F-Secure
2009-10-05 02:17 <DIR> --d-h--- c:\windows\PIF
2009-10-04 19:42 61,440 a------- c:\windows\system32\drivers\mblrbz.sys
2009-10-04 19:42 61,440 a------- c:\windows\system32\drivers\bvzrk.sys
2009-09-21 16:04 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-01 14:26 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-08-12 00:00 161,008 a------- c:\windows\system32\drivers\vetmonnt.sys
2009-08-12 00:00 111,856 a------- c:\windows\system32\isafprod.dll
2009-08-12 00:00 26,352 a------- c:\windows\system32\drivers\vet-filt.sys
2009-08-12 00:00 21,488 a------- c:\windows\system32\drivers\vetfddnt.sys
2009-08-12 00:00 21,104 a------- c:\windows\system32\drivers\vet-rec.sys
2009-08-12 00:00 820,464 a------- c:\windows\system32\ppctl.dll
2009-08-05 04:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 10,841,088 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-12 05:04 944 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2009-07-10 08:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-07-05 04:20 1,048,611 a--sh--- c:\windows\system32\daharubo.exe
2009-07-06 20:25 51,712 a--sh--- c:\windows\system32\gazeyuha.dll
2009-07-06 20:26 51,712 a--sh--- c:\windows\system32\lanimaye.dll
2009-07-05 04:20 49,664 a--sh--- c:\windows\system32\layepezo.dll
2009-07-06 20:25 38,400 a--sh--- c:\windows\system32\lipegudi.dll
2009-07-06 20:26 51,712 a--sh--- c:\windows\system32\najihate.dll
2009-07-04 09:17 3 a--sh--- c:\windows\system32\rojayefi.dll
2009-07-06 20:25 88,064 a--sh--- c:\windows\system32\ruhegozi.dll
2009-07-06 20:26 51,712 a--sh--- c:\windows\system32\tipiyipo.dll
2009-07-04 09:17 1,048,099 a--sh--- c:\windows\system32\yomoviya.exe
2009-07-06 20:25 27,136 a--sh--- c:\windows\system32\zomutaho.dll

============= FINISH: 21:34:55.00 ===============



Here's the info you requested. PEEKBAT LOG:

Volume in drive C is HP_PAVILION
Volume Serial Number is 9CE9-DC28

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/09/2004 11:00 PM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/09/2004 11:00 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/09/2004 11:00 PM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\system32

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 134,936,219,648 bytes free



Now here's the ROOT REPEAL LOG:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 21:12
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB5918000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA62C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7130
Image Path: \Driver\PCI_PNP7130
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB1484000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spkb.sys
Image Path: spkb.sys
Address: 0xB9EAA000 Size: 1036288 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\temp\~df763c.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\windows\temp\~dfac8d.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~df3878.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\hp_administrator\local settings\temp\~df2697.tmp
Status: Allocation size mismatch (API: 16384, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spkb.sys" at address 0xb9eab0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spkb.sys" at address 0xb9ec8ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spkb.sys" at address 0xb9ec9030

#: 119 Function Name: NtOpenKey
Status: Hooked by "spkb.sys" at address 0xb9eab0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spkb.sys" at address 0xb9ec9108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spkb.sys" at address 0xb9ec8f88

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\kmxagent.sys" at address 0xb5cb7ce8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spkb.sys" at address 0xb9ec919a

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xb34270b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8ad1f1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a24d1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_CREATE]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_CLOSE]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_READ]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_WRITE]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_CLEANUP]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: Udfsࠅ乖睥ࠁᰑ詐詯̆ā , IRP_MJ_PNP]
Process: System Address: 0x8a8de500 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CREATE]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_CLOSE]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_POWER]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: 0000, IRP_MJ_PNP]
Process: System Address: 0x8a8351f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a84b1f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x8a8df500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8ad931f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a9011f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ad221f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a73d500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a8e9500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a90c1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_READ]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x8a8e0500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅ乖睥ࠁః瑎て, IRP_MJ_PNP]
Process: System Address: 0x8a8e0500 Size: 121

==EOF==

As for my personal progress…10/6/09 - I was able to run the SuperAntiSpyware program in safe mode, and get the logs. I ran it, it found 1 in memory and about 5 in registry. When I let it quarantine and reboot - Windows would not start. It made me select “last known good config”. So I went back into safe mode and ran it again, and those same files it had quarantined before were there. I ran it several times in a row, always checking if I could get back into Windows normally after running it (no) and was always prompted to go back to last known good configuration.

The only rule against posting logs is the combo fix, so I am assuming it’s okay to post this one for the added info of infected files that won‘t seem to budge. If this info should not be included, I’ll remove.
(this is the shortest one -a custom scan- I ran to highlight the ‘problem files’ that have appeared during each run.

Application Version : 4.29.1002

Core Rules Database Version : 4146
Trace Rules Database Version: 2076

Scan type : Custom Scan
Total Scan Time : 00:07:04

Memory items scanned : 239
Memory threats detected : 1
Registry items scanned : 6689
Registry threats detected : 5
File items scanned : 0
File threats detected : 1

Adware.Vundo/Variant[1004]
C:\WINDOWS\SYSTEM32\BAHEZIDO.DLL
C:\WINDOWS\SYSTEM32\BAHEZIDO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler#{6584587c-6110-43ef-912c-1d24d34feb6f}
HKCR\CLSID\{6584587C-6110-43EF-912C-1D24D34FEB6F}
HKCR\CLSID\{6584587c-6110-43ef-912c-1d24d34feb6f}\InprocServer32
HKCR\CLSID\{6584587c-6110-43ef-912c-1d24d34feb6f}\InprocServer32#ThreadingModel
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#suyegonuj

Thanks again! :D

*edit to add in the hijack files. Sorry it's so long, if I should erase the others let me know

Attached Files


Edited by frostybaby13, 07 October 2009 - 09:44 PM.


BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:50 PM

Posted 24 October 2009 - 08:48 AM

Hello frostybaby13

Welcome to BleepingComputer :(
==========================
  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
===========
Download This file. Note its name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "Yes" to begin the scan.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users