Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Inflected with backdoor, waxfhosk, haypsixd, and other viruses


  • This topic is locked This topic is locked
2 replies to this topic

#1 blaster451

blaster451

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:06 PM

Posted 29 December 2009 - 01:29 AM

Hi folks,

I am not sure whether this topic forum or the HJT topic forum is more appropriate for my post. My apologies if I'm in the wrong forum.

Two days ago I picked up a virus/viruses. Yesterday I ran the following in order:
1. Super Anti-spyware
2. Ad-Aware
3. Malwarebytes anti-malware
4. Spybot Search & Destroy
5. Spyware Blaster 4.2

These programs identified various viruses and other problems. About 16 files or problems were noted, quarantined and/or removed. However, this did not eliminate the problems. Today, a program "oiekfbhf sdjfue gkaiiedf" kept trying to change the registry with buzimoten, sylonz, and votudehoj. Also, firefox and later IW were hijacked to c.ppcxml.net.

Today, I reran the same five programs noted above several times today and the problems only seem to get worse. At one point there were 60 variations of adware.vundo, trojan.agent, trojan.dropper, rootkit.agent, trojan.smitfraud, trojan.downloader and trojan.agent/gen-backdoor. While the viruses don't seem to show up in the results reports, they are found through a search.

I have uninstalled and reinstalled Firefox but no help. The hijacking just got worse for FF and IE.

In doing a search of .exe file on the computer that were changed/added today I found several variations of waxfhosk, haypsixd and others. I will try to attach a Word file of the .exe files that changed today or yesterday. Also, I noticed many of these changed files are listed as "windows/prefetch", which I have never heard of before.

I'm overwhelmed and do not know what to do next. One post I read here said that the backdoor virus would/could compromise my financial and banking software and that I should disconnect the PC from the net and change all online banking info. I will change the online info (with another computer) after posting this message but what else do I need to watch out for? Are these attacks a critical threat or a nuisance?

Can you help me to identify and remove the problem software files, etc? I have included the DDS log and the RootRepeal log. I also can provide a Hijackthis log file if needed.

Thanks, in advance, for your advice.

Novice451



DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 21:51:50.81 on Mon 12/28/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.92 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program FilesFlip VideoFlipShareFlipShareService.exe
C:Program FilesSeagateSeagateManagerSyncFreeAgentService.exe
C:Program FilesCommon FilesLightScribeLSSrvc.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:program filescommon filesmcafeemnamcnasvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeMSKMskSrver.exe
C:WINDOWSSystem32svchost.exe -k HPZ12
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSSystem32svchost.exe -k HPZ12
C:Program FilesCommon FilesNew BoundaryPrismXLPRISMXL.SYS
C:Program FilesCommon Filessupportsoftbinsprtlisten.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Program FilesCanonCALCALMAIN.exe
c:PROGRA~1mcafee.comagentmcagent.exe
C:WINDOWSExplorer.EXE
C:WINDOWSehomeehtray.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktop.exe
C:Program FilesDigital Media Readerreadericon45G.exe
C:WINDOWSzHotkey.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:WINDOWSRTHDCPL.EXE
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesSeagateSeagateManagerFreeAgent StatusStxMenuMgr.exe
C:Program FilesQuickTimeqttask.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSpybot - Search & DestroyTeaTimer.exe
C:Program FilesSUPERAntiSpywareSUPERAntiSpyware.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktopIndex.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Program FilesLogitechMouseWaresystemem_exec.exe
C:Program FilesGoogleGoogle Desktop SearchGoogleDesktopDisplay.exe
C:Program FilesMemeoAutoBackupMemeoLauncher.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:WINDOWSsystem32taskmgr.exe
C:WINDOWSsystem32NOTEPAD.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsOwner.SMITHMy DocumentsDownloadsdds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
mWinlogon: UserInit=c:windowssystem32userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:progra~1mcafeemskmskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeevirusscanscriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.4.4525.1752swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:windowssystem32BAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:windowssystem32Shdocvw.dll
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:program filescommon filesaheadlibNMBgMonitor.exe"
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [SpybotSD TeaTimer] c:program filesspybot - search & destroyTeaTimer.exe
uRun: [SUPERAntiSpyware] c:program filessuperantispywareSUPERAntiSpyware.exe
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [Google Desktop Search] "c:program filesgooglegoogle desktop searchGoogleDesktop.exe" /startup
mRun: [readericon] "c:program filesdigital media readerreadericon45G.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [Reminder] %WINDIR%CreatorRemind_XP.exe
mRun: [Recguard] %WINDIR%SMINSTRECGUARD.EXE
mRun: [NWEReboot]
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:windowssystem32NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:windowssystem32NvMcTray.dll,NvTaskbarInit
mRun: [HP Software Update] c:program fileshphp software updateHPWuSchd2.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [mcagent_exe] "c:program filesmcafee.comagentmcagent.exe" /runkey
mRun: [Ad-Watch] c:program fileslavasoftad-awareAAWTray.exe
mRun: [RestartNeroSetup] "c:program filescommon filesaheadnero webSetupXu.exe" PARAM="update" STARTMODE="2" USERSEL="3" FAMILYNAME="Nero 7" RUNSETUPXU="1" UNINSTALL="1" STUB="1" UPGRADE="1"
mRun: [<NO NAME>]
mRun: [MaxMenuMgr] "c:program filesseagateseagatemanagerfreeagent statusStxMenuMgr.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
dRun: [Power2GoExpress] NA
StartupFolder: c:docume~1owner~1.smistartm~1programsstartupmemeoa~1.lnk - c:docume~1owner~1.neuapplic~1microsoftinstaller{39a908fd-7322-41ae-b374-c7a076b2fc97}NewShortcut4_51A847D327C24F7797772AF2A4E486ED.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadober~1.lnk - c:program filesadobeacrobat 7.0readerreader_sl.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:windowssystem32Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
Trusted Zone: turbotax.com
TCP: {0DE5A393-0D46-486A-A209-1610F6AD27A5} = 193.104.110.38,4.2.2.1,192.168.0.1
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:progra~1googlegoogle~1GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
STS: kupuhivus: {4abdc41d-6cb4-4520-9135-4acdb12e8925} - c:windowssystem32saguyeba.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
LSA: Notification Packages = scecli savogiju.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1owner~1.smiapplic~1mozillafirefoxprofilesqgqq9eb0.default
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:program filesgooglegoogle earthpluginnpgeplugin.dll
FF - plugin: c:program filesgooglegoogle updater2.4.1536.6592npCIDetect13.dll
FF - plugin: c:program filesgoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPJava11.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPJava12.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPJava13.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPJava14.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPJava32.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPJPI150_02.dll
FF - plugin: c:program filesjavajre1.5.0_02binNPOJI610.dll
FF - plugin: c:program filesmozilla firefoxpluginsNPCIG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-1-26 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:windowssystem32driversmfehidk.sys [2007-6-29 214664]
R1 SASDIFSV;SASDIFSV;c:program filessuperantispywareSASDIFSV.SYS [2008-12-22 9968]
R1 SASKUTIL;SASKUTIL;c:program filessuperantispywareSASKUTIL.SYS [2008-12-22 74480]
R2 FreeAgentGoNext Service;Seagate Service;c:program filesseagateseagatemanagersyncFreeAgentService.exe [2009-9-25 189736]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-1-18 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:program filesmcafeesiteadvisorMcSACore.exe [2008-9-29 93320]
R2 McProxy;McAfee Proxy Service;c:progra~1common~1mcafeemcproxymcproxy.exe [2007-6-29 359952]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:progra~1mcafeeviruss~1mcshield.exe [2007-6-29 144704]
R2 sprtlisten;SupportSoft Listener Service;c:program filescommon filessupportsoftbinsprtlisten.exe [2008-1-8 1213728]
R3 McSysmon;McAfee SystemGuards;c:progra~1mcafeeviruss~1mcsysmon.exe [2007-6-29 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:windowssystem32driversmfeavfk.sys [2007-6-29 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:windowssystem32driversmfebopk.sys [2007-6-29 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:windowssystem32driversmfesmfk.sys [2007-6-29 40552]
R3 SASENUM;SASENUM;c:program filessuperantispywareSASENUM.SYS [2008-12-22 7408]
S2 0085631261151173mcinstcleanup;McAfee Application Installer Cleanup (0085631261151173);c:windowstemp008563~1.exe c:progra~1common~1mcafeeinstal~1cleanup.ini -cleanup -nolog -service --> c:windowstemp008563~1.exe c:progra~1common~1mcafeeinstal~1cleanup.ini -cleanup -nolog -service [?]
S2 BtwSrv;BtwSrv;c:windowssystem32svchost.exe -k netsvcs [2005-1-9 14336]
S2 fastnetsrv;fastnetsrv Service;c:windowssystem32fastnetsrv.exe --> c:windowssystem32FastNetSrv.exe [?]
S2 gupdate1c987fe3e4a7ae2;Google Update Service (gupdate1c987fe3e4a7ae2);c:program filesgoogleupdateGoogleUpdate.exe [2009-2-5 133104]
S2 Ias;Network Security;c:windowssystem32svchost.exe -k netsvcs [2005-1-9 14336]
S3 mferkdk;McAfee Inc. mferkdk;c:windowssystem32driversmferkdk.sys [2007-6-29 34248]

=============== Created Last 30 ================

2009-12-28 22:53:47 95 ----a-w- c:windowswininit.ini
2009-12-28 19:32:57 1379840 ----a-w- c:windowssystem32AVR10.exe
2009-12-28 19:31:41 707072 ----a-w- c:windowssystem32driversabcrp.sys
2009-12-28 19:31:27 20480 ----a-w- C:waxfhosk.exe
2009-12-28 19:31:23 47104 ----a-w- C:haypsixd.exe
2009-12-28 19:26:53 419 ----a-w- c:windowssystem32uses32.dat
2009-12-28 19:26:53 100 ----a-w- c:windowssystem32flags.ini
2009-12-28 16:59:04 0 d-----w- c:program filesPersonalSec
2009-12-28 07:15:03 471552 -c----w- c:windowssystem32dllcacheaclayers.dll
2009-12-28 07:15:03 1206508 -c----w- c:windowssystem32dllcachesysmain.sdb
2009-12-25 11:49:36 153088 ----a-w- C:uwlwfa.exe
2009-12-14 16:42:57 54156 ---ha-w- c:windowsQTFont.qfn
2009-12-14 16:42:57 1409 ----a-w- c:windowsQTFont.for
2009-12-11 15:46:45 0 d-----w- c:program filesFlip Video

==================== Find3M ====================

2009-12-28 00:50:46 96512 ----a-w- c:windowssystem32driversatapi.sys
2009-12-03 23:14:06 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2009-12-03 23:13:56 19160 ----a-w- c:windowssystem32driversmbam.sys
2009-10-29 07:46:59 832512 ----a-w- c:windowssystem32wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:windowssystem32ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:windowssystem32corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:windowssystem32strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:windowssystem32httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:windowssystem32oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:windowssystem32rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:windowssystem32raschap.dll

============= FINISH: 21:56:46.84 ===============




ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/12/28 22:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xB7308000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

Path: C:Program FilesMetaTrader 4 at FOREX.comconfig
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32config
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32kbdsock.dll
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32mshlps.dll
Status: Invisible to the Windows API!

Path: c:windowstempmcafee_gtfshja5yaywcyf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:windowstempfla135.tmp
Status: Allocation size mismatch (API: 2752512, Raw: 2031616)

Path: c:windowstempsqlite_jzf95sfrzs1gcpq
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:windowstempmcmsc_9ul6edrulschgmw
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:windowstempmcmsc_nasopwiqaszcjc5
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:Program FilesMemeoAutoBackupconfig
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32driversabcrp.sys
Status: Locked to the Windows API!

Path: C:Program FilesMcAfeeVirusScanEngine5301.4018config.dat
Status: Invisible to the Windows API!

Path: C:Documents and SettingsAll UsersApplication DataMcAfeeMSCLogs{89A1F989-1BEE-4E41-A4FD-F2AFF1093308}.log-journal
Status: Invisible to the Windows API!

Path: c:windowssystem32configsystemprofilelocal settingstemporary internet filescontent.ie5u0ob8frsurbanmusicnews-176840-09-02-2009[1].flv
Status: Allocation size mismatch (API: 2686976, Raw: 2555904)

Path: c:documents and settingsowner.smithlocal settingsapplication datamozillafirefoxprofilesqgqq9eb0.defaultcache_cache_001_
Status: Size mismatch (API: 2501281, Raw: 2499958)

Path: D:MiniNTsystem32config
Status: Invisible to the Windows API!

Path: D:I386AppsApp20577CONFIG
Status: Invisible to the Windows API!

Path: D:I386AppsApp23742SYSTEM32REDISTMS
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf75a087e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf75a0bfe

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:Program FilesSUPERAntiSpywareSASKUTIL.sys" at address 0xeb1270b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x87133bc8 Size: 164

Hidden Services
-------------------
Service Name: abcrp
Image Path: C:WINDOWSsystem32driversabcrp.sys

==EOF==

This is an addendum to my original post.

I also have an older non-windows compatible iMac that I use. Can it also be infected by these viruses? If so, how can I check it?

If this post is in the wrong forum, please let me know. I seem to be getting views but no replies.

Thanks.

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 29 December 2009 - 07:53 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 AM

Posted 08 January 2010 - 05:02 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:01:06 AM

Posted 13 January 2010 - 03:45 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users