Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random DLL's r hooked into running programs (current: romezeju.dll & zavinolo.dll +more)


  • This topic is locked This topic is locked
2 replies to this topic

#1 Iceyburnz

Iceyburnz

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:51 PM

Posted 28 January 2010 - 07:37 PM

I can usually get rid of the random spyware/malware but this current case is kicking my butt. Not sure what I am infected with but I would appreciate someone who is able to assist. Pasted below are the DDS log and the Root Repeal log.. I know the DLL's are hooking into my current running EXE's due to ProcessExplorer.
Sidebar: Apologies to my future helper. I had tried to fix this on my own before and tried running ComboFix and it removed stuff but new DLL's were created on my C drive so whatever is creating them still isnt gone)


DDS (Ver_09-12-01.01) - NTFSx86
Run by Compaq_Owner at 19:01:34.43 on Thu 01/28/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.1037 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=presario&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=presario&pf=desktop
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {78b1d612-d0b7-4ea9-998d-9800095cd4d1} - romezeju.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ServUTrayIcon] c:\program files\rhinosoft.com\serv-u\ServUTray.exe
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinVNC] "c:\program files\ultravnc\WinVNC.exe" -servicehelper
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [yowibivofi] Rundll32.exe "memezori.dll",s
mRun: [favefefid] Rundll32.exe "c:\windows\system32\zavinolo.dll",a
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: sikasiso.dll c:\windows\system32\zavinolo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: fifozizuv - {a59ba6d2-5fb1-41c8-862b-de1fc29f1df3} - c:\windows\system32\zavinolo.dll
STS: gahurihor: {a59ba6d2-5fb1-41c8-862b-de1fc29f1df3} - c:\windows\system32\zavinolo.dll
LSA: Notification Packages = scecli sikasiso.dll memezori.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\elfexufh.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 a347scsi;a347scsi;c:\windows\system32\drivers\a347scsi.sys [2006-10-17 5248]
R0 d347bus;d347bus;c:\windows\system32\drivers\d347bus.sys [2005-10-15 155136]
R0 d347prt;d347prt;c:\windows\system32\drivers\d347prt.sys [2005-10-15 5248]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-3-7 338056]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-2-17 255600]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-2-17 243312]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-3-7 50312]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-24 1111880]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100124.004\naveng.sys [2010-1-25 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100124.004\navex15.sys [2010-1-25 1323568]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-2-17 87664]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-24 153416]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2006-5-7 278384]
S4 a347bus;a347bus;c:\windows\system32\drivers\a347bus.sys [2006-10-17 160640]

=============== Created Last 30 ================

2010-01-28 05:22:10 98816 ----a-w- c:\windows\sed.exe
2010-01-28 05:22:10 77312 ----a-w- c:\windows\MBR.exe
2010-01-28 05:22:10 261632 ----a-w- c:\windows\PEV.exe
2010-01-28 05:22:10 161792 ----a-w- c:\windows\SWREG.exe
2010-01-26 02:47:08 0 d-----w- C:\VundoFix Backups
2010-01-25 07:35:38 0 d-----w- c:\docume~1\compaq~1\applic~1\Malwarebytes
2010-01-25 07:35:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 07:35:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 07:35:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 07:35:25 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-01-25 06:11:23 2184 ----a-w- c:\windows\system32\wpa.dbl

==================== Find3M ====================

1601-01-01 00:03:28 37888 --sha-w- c:\windows\system32\dofatefo.dll
1601-01-01 00:03:28 61952 --sha-w- c:\windows\system32\notijiku.dll
1601-01-01 00:03:28 92160 --sha-w- c:\windows\system32\puneromi.dll
1601-01-01 00:03:28 39424 --sha-w- c:\windows\system32\rawuyona.dll
1601-01-01 00:03:28 38912 --sha-w- c:\windows\system32\rohitelu.dll
1601-01-01 00:03:52 51200 --sha-w- c:\windows\system32\romezeju.dll
1601-01-01 00:03:28 91648 --sha-w- c:\windows\system32\zavinolo.dll
1601-01-01 00:03:28 51200 --sha-w- c:\windows\system32\ziyojozi.dll

============= FINISH: 19:01:55.35 ===============



ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/28 19:20
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xAF836000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB1933000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79CD000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xAEAC7000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAED1A000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "d347bus.sys" at address 0xf75bd818

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89ff68d8

#: 041 Function Name: NtCreateKey
Status: Hooked by "d347bus.sys" at address 0xf75bd7d0

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "d347bus.sys" at address 0xf75b1a20

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "d347bus.sys" at address 0xf75b22a8

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "d347bus.sys" at address 0xf75bd910

#: 119 Function Name: NtOpenKey
Status: Hooked by "d347bus.sys" at address 0xf75bd794

#: 160 Function Name: NtQueryKey
Status: Hooked by "d347bus.sys" at address 0xf75b22c8

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "d347bus.sys" at address 0xf75bd866

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "d347bus.sys" at address 0xf75bd0b0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a287b88 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x89faffb0 Size: 11

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_EA]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_EA]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLEANUP]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x89fdf8e8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a0748a0 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System Address: 0x8a068938 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x89fa9af0 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x840338f8 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a303578 Size: 11

Object: Hidden Code [Driver: Npfs????B, IRP_MJ_READ]
Process: System Address: 0x85f6de90 Size: 11

Object: Hidden Code [Driver: Msfs????, IRP_MJ_READ]
Process: System Address: 0x89ffdc38 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x89fffe58 Size: 11

Object: Hidden Code [Driver: Cdfs???????????????, IRP_MJ_READ]
Process: System Address: 0x83f388c8 Size: 11

==EOF==

Edited by Iceyburnz, 28 January 2010 - 11:04 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 30 January 2010 - 05:51 AM

Hi,

I see you have malwarebytes already installed, which should get rid of your problem, however I assume the malware prevents malwarebytes from running?

In that case,

Please try this version of malwarebytes: Click the link here
Save it on your desktop. You'll see it will have a random name, and will look similar like this:
Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.
In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.
In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).
After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

Edited by miekiemoes, 30 January 2010 - 05:51 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:51 AM

Posted 16 February 2010 - 09:02 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users