Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE not opening and virus's/Trojans detected


  • This topic is locked This topic is locked
5 replies to this topic

#1 Tim Moll

Tim Moll

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 12 January 2010 - 11:27 AM

Hi I am trying to clean up a friends laptop that has been playing up for sometime now.....internet explorer would not even show a page and whole pc was incredible slow. I have downloaded and ran Malwarebytes Anti-malware as suggested on another post on this site and attach below the logs from first and second running of this software, I re-booted as requested between each running of the software. I have then just ran Kapersky online scanner and threats are still detected.....I would very much appreciate some guidance on what to do next? Incidentally after running Malwarebytes I can now get on the internet so have made some progress.....

First Malwarebytes Log

Malwarebytes' Anti-Malware 1.44
Database version: 3546
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/01/2010 10:28:35
mbam-log-2010-01-12 (10-28-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 208119
Time elapsed: 47 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 40
Registry Values Infected: 6
Registry Data Items Infected: 7
Folders Infected: 3
Files Infected: 73

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lijohoyo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\dajidomu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kiganopo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lapomefe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yopalimi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\jskjwq.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{62a6ee44-c090-4783-bc93-611d3d9acc8a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62a6ee44-c090-4783-bc93-611d3d9acc8a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{92a1d53e-8c31-4309-bc4c-d7c27702fcce} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{92a1d53e-8c31-4309-bc4c-d7c27702fcce} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3229dfcd-3eaf-4712-ed45-4876fedc170c} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{92a1d53e-8c31-4309-bc4c-d7c27702fcce} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{62a6ee44-c090-4783-bc93-611d3d9acc8a} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\contextprogram.browserwatcher (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\contextprogram.browserwatcher.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\contextprogram.pornpro_bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\contextprogram.pornpro_bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\contextprogram.precachebrowserhost (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\contextprogram.precachebrowserhost.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{018fe159-4a56-8237-0211-989634717eb4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1037b06c-84b7-4240-8d80-485810a0497d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2f560603-a26f-c7e9-5e30-08dba79699c4} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{54b287f9-fd90-4457-b65e-cb91560c021d} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e4c7afc-9915-4036-b7f9-8b3f1710788f} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bf798913-adc2-4304-2b4e-876f60917aab} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e2010c89-dc4c-e7bf-aa56-e826b40072a0} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4c1aff62-c4fb-dc22-f1dd-20f26a27ec12} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{926ea0f6-080a-0778-9569-cac35c7f03b8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{24a1e1cc-4393-941e-b765-2264a695d4e3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{566dede9-9ed8-45da-9be6-9b2eeab17f49} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9f009604-ac89-957d-19a5-5815b478e169} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ContextProgram.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\reset5c (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmd7610491 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naterefuya (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d452370d (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3229dfcd-3eaf-4712-ed45-4876fedc170c} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\lapomefe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lapomefe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\lapomefe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\lapomefe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\dajidomu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\dajidomu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Angle Interactive\RD Platinum v5.0 (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\jskjwq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lijohoyo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dajidomu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\dulosilo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fajekego.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fodedozu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gohulayo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oyaluhog.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kiganopo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lapomefe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\letuyami.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lojonuda.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nifudoju.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\riligize.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rodudaya.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rotapote.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wuvoseti.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yopalimi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zegofadu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zevehahu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zuvimape.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winload.dll (Trojan.Zlob.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\browsearch.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Program Files\Angle Interactive\RD Platinum v5.0\RDPlatinumv5.exe (Rogue.RegDefenderv5) -> Quarantined and deleted successfully.
C:\Program Files\Angle Interactive\RD Platinum v5.0\Uninstall.exe (Rogue.RegistryDefender) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Adware.PLayMP3z) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gehudehe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rewagiki.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\savahusu.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\suhokamo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tehisuvo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wepakezu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\liyobinu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nutedemu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jhivep.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jomibeyo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\juposeno.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xewsbb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kusitozo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\viwafinu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tupurevo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wukanipo.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yizimife.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zajosola.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bihawonu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Documents and Settings\alletv\Application Data\Microsoft\SystemBackup\browserui.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\alletv\Application Data\Microsoft\SystemBackup\mt_32.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\browserui.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bujusufe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clfsw.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mscert.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshtmllib.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mt_32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\muzurimo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netd.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pxcrt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reset5c.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rokonuge.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rudadiza.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rudagitu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vukuleyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zoyokuvu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd7610491.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMd7610491.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

Second Malwarebytes Log

Malwarebytes' Anti-Malware 1.44
Database version: 3546
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

12/01/2010 12:09:36
mbam-log-2010-01-12 (12-09-36).txt

Scan type: Full Scan (C:\|)
Objects scanned: 208425
Time elapsed: 45 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kapersky Online Scanner Log

Tuesday, January 12, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, January 12, 2010 09:43:29
Records in database: 3300829


Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes

Scan area My Computer
C:\
D:\

Scan statistics
Objects scanned 73608
Threats found 16
Infected objects found 48
Suspicious objects found 0
Scan duration 01:46:04

File name Threat Threats count
vi32.exe\vi32.exe/vi32.exe\vi32.exe Infected: Trojan.Win32.Agent.crt 1

C:\WINDOWS\system32\vi32.exe/C:\WINDOWS\system32\vi32.exe Infected: Trojan.Win32.Agent.crt 1

alle32.exe\alle32.exe/alle32.exe\alle32.exe Infected: Trojan.Win32.Agent.afi 1

c:\windows\system32\alle32.exe/c:\windows\system32\alle32.exe Infected: Trojan.Win32.Agent.afi 1

C:\Documents and Settings\alletv\Application Data\Microsoft\SystemBackup\winload.dll Infected: Trojan-Dropper.Win32.LJoiner.by 1

C:\Documents and Settings\alletv\Local Settings\Temporary Internet Files\Content.IE5\QSQJ8XQL\index[3].htm Infected: Trojan.JS.Fraud.l 1

C:\Documents and Settings\alletv\Local Settings\Temporary Internet Files\Content.IE5\RIEAOXEH\jquery-init[1].js Infected: Hoax.HTML.FakeAntivirus.a 1

C:\quarantine\Dc10.Vir.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\quarantine\Dc11.Vir.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\quarantine\Dc12.Vir.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\quarantine\Dc13.Vir.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\quarantine\Dc14.Vir.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\quarantine\Dc9.Vir.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\quarantine\T-3545425-golden showers.mpg.Vir Infected: Trojan-Downloader.WMA.GetCodec.c 1

C:\WINDOWS\system32\alle32.exe Infected: Trojan.Win32.Agent.afi 1

C:\WINDOWS\system32\axaccessctrl.ocx Infected: Trojan.Win32.Agent.xjb 1

C:\WINDOWS\system32\beyobusu.dll.tmp Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\WINDOWS\system32\bihomimo.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\fcnliiep.dll Infected: Trojan.Win32.Obfuscated.auw 1

C:\WINDOWS\system32\jawuzela.dll Infected: Trojan.Win32.Agent.bqeh 1

C:\WINDOWS\system32\jazukimo.dll.tmp Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\WINDOWS\system32\kivizazu.dll.tmp Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\kivumolo.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\klhfdokc.dll Infected: Trojan.Win32.Obfuscated.auw 1

C:\WINDOWS\system32\laraletu.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\ligalijo.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\lxybxlgd.dll Infected: Trojan.Win32.Obfuscated.auw 1

C:\WINDOWS\system32\nigavimi.dll Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\nukipopu.dll Infected: Trojan.Win32.Monder.clwi 1

C:\WINDOWS\system32\nxwvqgsr.dll Infected: Trojan.Win32.Obfuscated.auw 1

C:\WINDOWS\system32\omnithread_rt.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.g 1

C:\WINDOWS\system32\paduzebe.dll Infected: Trojan.Win32.Monder.clwi 1

C:\WINDOWS\system32\povisema.dll.tmp Infected: Trojan-Downloader.Win32.Agent.bqxc 1

C:\WINDOWS\system32\relipasi.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\risowupa.dll Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\sgtqrsmt.dll Infected: Trojan.Win32.Obfuscated.auw 1

C:\WINDOWS\system32\telowewa.dll Infected: Trojan.Win32.Agent.bjxa 1

C:\WINDOWS\system32\tojedela.dll Infected: Packed.Win32.Mondera.b 1

C:\WINDOWS\system32\vi32.exe Infected: Trojan.Win32.Agent.crt 1

C:\WINDOWS\system32\viyogula.dll Infected: Trojan.Win32.Agent.bqeh 1

C:\WINDOWS\system32\vororeni.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\voyuvofe.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\vunahate.dll.tmp Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\wehazibi.dll Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\yitefuko.dll Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\yurebuju.dll Infected: Packed.Win32.Krap.p 1

C:\WINDOWS\system32\zijigegu.dll Infected: Trojan.Win32.Monder.clxi 1

C:\WINDOWS\system32\zudovase.dll Infected: Packed.Win32.Krap.p 1

Selected area has been scanned.

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:59 PM

Posted 12 January 2010 - 02:10 PM

Welcome to BC

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 12 January 2010 - 06:06 PM

Hi thanks for the reply, please find below the RootRepeal Log.....

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/12 19:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1E4A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP6542
Image Path: \Driver\PCI_NTPNP6542
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7445000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\config.msi\3a66aa.rbs
Status: Allocation size mismatch (API: 5242880, Raw: 5177344)

Path: C:\WINDOWS\$hf_mig$\KB970430\SP3QFE
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB970430\spmsg.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB970430\spuninst.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB970430\update
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB971737\spmsg.dll
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB971737\spuninst.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\$hf_mig$\KB971737\update
Status: Visible to the Windows API, but not on disk.

Path: c:\windows\softwaredistribution\datastore\datastore.edb
Status: Allocation size mismatch (API: 14753792, Raw: 14757888)

Path: C:\Documents and Settings\Administrator.WII91R0R\Local Settings\Temp\mpengine.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator.WII91R0R\Local Settings\Temp\TMP00000001B6CB37E1CC12A533
Status: Invisible to the Windows API!

Path: c:\documents and settings\administrator.wii91r0r\local settings\temp\~dfda9c.tmp
Status: Allocation size mismatch (API: 65536, Raw: 16384)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_policyevaluator\000000no.msg
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\certificatemaintenanceendpoint\0000002a.msg
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\ls_scheduledcleanup\0000002m.msg
Status: Allocation size mismatch (API: 49152, Raw: 45056)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_cleanup\00000019.msg
Status: Allocation size mismatch (API: 40960, Raw: 36864)

Path: c:\windows\system32\ccm\servicedata\messaging\endpointqueues\policyagent_requestassignments\0000008n.msg
Status: Allocation size mismatch (API: 24576, Raw: 8192)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\amp_[http]mp_locationmanager\0000004q.msg
Status: Allocation size mismatch (API: 12288, Raw: 8192)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\0000007b.msg
Status: Allocation size mismatch (API: 98304, Raw: 69632)

Path: c:\windows\system32\ccm\servicedata\messaging\outgoingqueues\mp_[http]mp_policymanager\0000007c.msg
Status: Allocation size mismatch (API: 4096, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf729f0d0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x87ff8109

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf72a4e2c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf72a51ba

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf729f0b0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf72a5292

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf72a5112

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf72a5324

Stealth Objects
-------------------
Object: Hidden Handle [Index: 4, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe29fe818 Size: -

Object: Hidden Handle [Index: 2052, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe17c6020 Size: -

Object: Hidden Handle [Index: 4100, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe1538818 Size: -

Object: Hidden Handle [Index: 6148, Type: UnknownType]
Process: svchost.exe (PID: 1876) Address: 0xe2386818 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a4c61e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a2a91e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a5341e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a3961e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a4c81e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x883491e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a3091e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x883231e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x88da81e8 Size: 121

Object: Hidden Code [Driver: CdfsЅఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x88da81e8 Size: 121

==EOF==

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:59 PM

Posted 12 January 2010 - 07:22 PM

Now that you were successful in creating the Root Repeal log you need to post it in our HJT forum There they will help you with the removal through some custom scripts and programs that we cannot run here in this forum

First, try to run a DDS / HJT log as outlined in our preparation guide:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

If it won't run, don't worry, just give a brief description and tell them that these logs were all you could get to run successfully

Post them here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 Tim Moll

Tim Moll
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 13 January 2010 - 04:07 AM

Many thanks for your help, I have posed to the other forum as directed :thumbsup:

#6 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:10:59 PM

Posted 13 January 2010 - 08:04 PM

Topic closed
Good luck and please be patient
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users