Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Op 'Sharpshooter' Uses Lazarus Group Tactics, Techniques, and Procedures

Featured Deal: Get 91% off The ReactJS Programming Bootcamp Deal

Photo

SWP 2009 demo keeps coming back

Started by Mike_West , May 25 2009 05:40 PM

  • Please log in to reply
8 replies to this topic

#1 Mike_West

Mike_West

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:02:07 PM

Posted 25 May 2009 - 05:40 PM

Dear Bleepingcomputer.com,

This is a family computer and 2 days ago my son alerted me to this SWP 2009 demo thing. The computer was running at a snail's pace and I saw that it had taken up the whole screen with a fake virus scan graphic and warned me of viruses. I could tell that it was malware of some kind so I tried to purge it off with AVG. That didn't do it so I restarted the computer in safe mode and ran SuperAntiSpyware. That found 11 malicious items and removed them. I restarted the computer and the graphic was gone but the CPU usage was at %100 upon boot up. I ran Malwarebytes and it removed 11 more items (files and stuff in the registry). Then I ran Microsoft's malware tool and it removed something called koobface.gen!D. I rebooted the system and finally it seemed everything was gone, resting CPU usage was %0 and it ran fine so I thought it was over. But now I was running it and the whole thing started all over with the huge screen-filling fake alert graphic. What should I do? I can't seem to kill it off and it just keeps coming back.

Thank you,

Mike West

BC AdBot (Login to Remove)

 

#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:07 PM

Posted 25 May 2009 - 06:29 PM

Hello Mike and welcome to BC

Please update and rerun Malwarebytes and post its new log.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#3 Mike_West

Mike_West
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:02:07 PM

Posted 26 May 2009 - 01:14 AM

Thank you Rigel, I updated and ran malwarebytes and also scanned with rootrepeal as you recommended. The results are very extensive so I hope this isn't asking too much, but here goes. First is the latest malwarebytes report and after that, rootrepeal which I just finished running (please note, the malwarebytes report says those things were deleted successfully but keep in mind that there was a clean scan between this and the initial scan when 11 other things were removed):

Malwarebytes' Anti-Malware 1.36
Database version: 2176
Windows 5.1.2600 Service Pack 3

5/25/2009 8:09:13 PM
mbam-log-2009-05-25 (20-09-13).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169309
Time elapsed: 1 hour(s), 22 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bad4551d-9b24-42cb-9bcd-818ca2da7b63} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system tool (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.








ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/25 23:59
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 00000067
Image Path: \Driver\00000067
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA727000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CD0000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAA033000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Pijoan\Local Settings\Temp\etilqs_QRcxagqEi1vDPNuolU3o
Status: Allocation size mismatch (API: 32768, Raw: 0)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf77ee87e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf7691d48

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf76920c0

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf7691ae2

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf769218a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf7692022

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf77eebfe

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x873d2450 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_READ]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_WRITE]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: Udfsȅఉ浗灩, IRP_MJ_PNP]
Process: System Address: 0x86fd6730 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CREATE]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLOSE]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_READ]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_WRITE]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_EA]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_EA]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLEANUP]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_PNP]
Process: System Address: 0x86fba0e8 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x870aceb0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x871360e8 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x873d2708 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x873d2eb0 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873d20e8 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_CREATE]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_CLOSE]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_POWER]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_PNP]
Process: System Address: 0x873d29c0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x870beeb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x870beeb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870beeb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870beeb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x870beeb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x870beeb0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86fd9b68 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x870c9bd0 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_CREATE]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_CLOSE]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_READ]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_WRITE]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_CLEANUP]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: HDAUDIO#, IRP_MJ_SET_SECURITY]
Process: System Address: 0x871b80e8 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_CREATE]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_CLOSE]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_READ]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_WRITE]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_CLEANUP]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Msfs؅ం扏楄⺰ᗠ؂ఛ楄Ψ, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86efe310 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_READ]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_CLEANUP]
Process: System Address: 0x8703daa0 Size: -

Object: Hidden Code [Driver: Cdfsȅ扏煓ȁఌ浗灩, IRP_MJ_PNP]
Process: System Address: 0x8703daa0 Size: -

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSrfdc.sys

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:07 PM

Posted 26 May 2009 - 06:37 AM

Our next step...

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download DrWeb-CureIt and save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and unheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Please rerun Rootrepeal and post its log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#5 Mike_West

Mike_West
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:02:07 PM

Posted 26 May 2009 - 04:11 PM

Thank you, I followed your directions and here are the latest results:

This is the Dr. Web report:

GTDownAO_106.ocx;C:\Program Files\Common Files\AolCoach\en_en;Adware.Gdown;Incurable.Moved.;


And the long part:


ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/26 14:54
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 00000067
Image Path: \Driver\00000067
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA727000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D26000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA9A30000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\WindowsUpdate.log
Status: Size mismatch (API: 1951576, Raw: 1947557)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf77ee87e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf7691d48

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf76920c0

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf7691ae2

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf769218a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf7692022

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf77eebfe

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_CREATE]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_CLOSE]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_READ]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_WRITE]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_CLEANUP]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: Udfsȅఌ硒硍㊈憈, IRP_MJ_PNP]
Process: System Address: 0x86fb9168 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CREATE]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLOSE]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_READ]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_WRITE]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_EA]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_EA]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLEANUP]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_PNP]
Process: System Address: 0x87178a90 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x870ac900 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x87133548 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_CREATE]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_CLOSE]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_POWER]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_PNP]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x87039eb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x87039eb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87039eb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87039eb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x87039eb0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x87039eb0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86fe8de0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x870d1448 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_CREATE]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_CLOSE]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_READ]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_WRITE]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_CLEANUP]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Npfs؅䵃慄؁ం扏济UNC, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86ebcd28 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_CREATE]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_CLOSE]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_READ]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_WRITE]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_CLEANUP]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Msfsࠅఇ扏济WinSta0_Desk, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fc6eb0 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_CREATE]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_CLOSE]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_READ]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_CLEANUP]
Process: System Address: 0x86f4c2a8 Size: -

Object: Hidden Code [Driver: Cdfsࠅఈ灐畳འ聖節, IRP_MJ_PNP]
Process: System Address: 0x86f4c2a8 Size: -

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSrfdc.sys

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:07 PM

Posted 26 May 2009 - 06:52 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#7 Mike_West

Mike_West
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:02:07 PM

Posted 27 May 2009 - 12:20 AM

Hello, I ran SDFix as directed and here's the report:



SDFix: Version 1.240
Run by Administrator on Tue 05/26/2009 at 11:04 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
TDSSserv.sys

Path :
\systemroot\system32\drivers\TDSSrfdc.sys

TDSSserv.sys - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\drivers\TDSSrfdc.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-26 23:11:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5a,df,82,b4,a5,21,63,8a,c6,d3,5d,dd,37,df,16,8e,7d,06,5a,a9,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,09,0e,4c,16,d6,3c,45,6f,f9,54,2a,67,37,ac,30,9d,3f,..
"khjeh"=hex:e1,7f,d1,09,3d,03,7f,1e,4c,c6,a8,e7,95,30,72,9e,37,ec,43,97,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9c,60,96,2c,75,4e,11,ae,38,1e,41,84,e1,86,59,1d,36,2f,78,e9,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:b9,5e,38,bf,1a,39,3c,90,43,c4,af,5b,6a,20,64,ff,f0,96,c2,ea,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5a,df,82,b4,a5,21,63,8a,c6,d3,5d,dd,37,df,16,8e,7d,06,5a,a9,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,09,0e,4c,16,d6,3c,45,6f,f9,54,2a,67,37,ac,30,9d,3f,..
"khjeh"=hex:e1,7f,d1,09,3d,03,7f,1e,4c,c6,a8,e7,95,30,72,9e,37,ec,43,97,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9c,60,96,2c,75,4e,11,ae,38,1e,41,84,e1,86,59,1d,36,2f,78,e9,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:b9,5e,38,bf,1a,39,3c,90,43,c4,af,5b,6a,20,64,ff,f0,96,c2,ea,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5a,df,82,b4,a5,21,63,8a,c6,d3,5d,dd,37,df,16,8e,7d,06,5a,a9,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,09,0e,4c,16,d6,3c,45,6f,f9,54,2a,67,37,ac,30,9d,3f,..
"khjeh"=hex:e1,7f,d1,09,3d,03,7f,1e,4c,c6,a8,e7,95,30,72,9e,37,ec,43,97,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9c,60,96,2c,75,4e,11,ae,38,1e,41,84,e1,86,59,1d,36,2f,78,e9,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:b9,5e,38,bf,1a,39,3c,90,43,c4,af,5b,6a,20,64,ff,f0,96,c2,ea,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{C67FB98D-BAC5-4BAE-8922-3800AB4E92F0}\Properties]
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:acc8b642
"s1"=dword:006aa215
"s2"=dword:98f4b4df
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5a,df,82,b4,a5,21,63,8a,c6,d3,5d,dd,37,df,16,8e,7d,06,5a,a9,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,09,0e,4c,16,d6,3c,45,6f,f9,54,2a,67,37,ac,30,9d,3f,..
"khjeh"=hex:e1,7f,d1,09,3d,03,7f,1e,4c,c6,a8,e7,95,30,72,9e,37,ec,43,97,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9c,60,96,2c,75,4e,11,ae,38,1e,41,84,e1,86,59,1d,36,2f,78,e9,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:b9,5e,38,bf,1a,39,3c,90,43,c4,af,5b,6a,20,64,ff,f0,96,c2,ea,99,..
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000002
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000023
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E969-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E96A-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E97B-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000004
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}\Properties]
"DeviceType"=dword:00000007
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Control\Class\{C67FB98D-BAC5-4BAE-8922-3800AB4E92F0}\Properties]
"DeviceCharacteristics"=dword:00000100
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Services\MRxDAV\EncryptedDirectories]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:5a,df,82,b4,a5,21,63,8a,c6,d3,5d,dd,37,df,16,8e,7d,06,5a,a9,bd,..

[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,09,0e,4c,16,d6,3c,45,6f,f9,54,2a,67,37,ac,30,9d,3f,..
"khjeh"=hex:e1,7f,d1,09,3d,03,7f,1e,4c,c6,a8,e7,95,30,72,9e,37,ec,43,97,ec,..

[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:9c,60,96,2c,75,4e,11,ae,38,1e,41,84,e1,86,59,1d,36,2f,78,e9,ef,..

[HKEY_LOCAL_MACHINE\SYSTEM\controlset005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:b9,5e,38,bf,1a,39,3c,90,43,c4,af,5b,6a,20,64,ff,f0,96,c2,ea,99,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Michael Pijoan\\Local Settings\\Temp\\Blizzard Launcher Temporary - 16078aa8\\Launcher.exe"="C:\\Documents and Settings\\Michael Pijoan\\Local Settings\\Temp\\Blizzard Launcher Temporary - 16078aa8\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Documents and Settings\\Michael Pijoan\\Local Settings\\Temp\\Blizzard Launcher Temporary - 338e0fc0\\Launcher.exe"="C:\\Documents and Settings\\Michael Pijoan\\Local Settings\\Temp\\Blizzard Launcher Temporary - 338e0fc0\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"="C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft Public Test\\Launcher.exe"="C:\\Program Files\\World of Warcraft Public Test\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0.9637-to-0.1.0.9658-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft Public Test\\WoW-0.1.0.9637-to-0.1.0.9658-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
"C:\\Program Files\\World of Warcraft\\Launcher.exe"="C:\\Program Files\\World of Warcraft\\Launcher.exe:*:Enabled:Blizzard Launcher"
"C:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"="C:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:*:Enabled:Blizzard Downloader"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 28 Jun 2006 4,900,464 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\advcheck.dll"
Mon 15 Sep 2008 1,562,960 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\Tools.dll"
Tue 20 Mar 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 24 Feb 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 24 May 2009 0 A..H. --- "C:\Documents and Settings\Michael Pijoan\Local Settings\Temp\g.exe"
Tue 27 Jan 2009 1,424,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8c6322a455d51e8a1346db4713089043\BITE.tmp"
Tue 27 Jan 2009 8,981,856 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9de5dbc7caed13f6a2349c5fdc61cdb6\BITC.tmp"
Tue 27 Jan 2009 7,256,928 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a2850ba2c561d0bfb4e8c8fd3f9bf263\BITD.tmp"
Tue 27 Jan 2009 242,743,296 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d346b7396358ac7bd3dcc0e62b35367d\BITB.tmp"

Finished!

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:04:07 PM

Posted 27 May 2009 - 12:35 PM

Welcome back Mike,

Two things... first a standard warning. You have a rootkit on your computer:

IMPORTANT NOTE: One or more of the identified infections was related to a rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

• "When should I re-format? How should I reinstall?"
• "Help: I Got Hacked. Now What Do I Do?"
• "Where to draw the line? When to recommend a format and reinstall?"

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful.

Let me know how you wish to proceed.

If you want to try and clean your computer, please run the following procedure.


Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith

#9 Mike_West

Mike_West
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
    •  
  • Local time:02:07 PM

Posted 27 May 2009 - 11:03 PM

Well, that makes sense, and I appreciate the warning. I will change some passwords for sure. I am going to be a getting a new PC soon and I would like to know: is there a safe way to transfer some documents (such as pictures, word documents and music) to the new computer without infecting it? Or should I consider all data on this computer irretrievably contaminated?


I did run root repeal again, and since I have no idea how to interpret the results I'm going to post them again here. This is after getting a clean scan with malwarebytes. Should it be shorter than this? Also...are the non-english characters a concern? Thank you.




ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/27 21:50
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 00000066
Image Path: \Driver\00000066
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAA727000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7CF8000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA97F0000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Pijoan\Local Settings\Temp\etilqs_Fgf4qyWL1dEka3Ik3Tfk
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Michael Pijoan\Application Data\Mozilla\Firefox\Profiles\17gybas6.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf77ee87e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf7691d48

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf76920c0

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf7691ae2

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf769218a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf7692022

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf77eebfe

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x873d1450 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_CREATE]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_CLOSE]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_READ]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_WRITE]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_CLEANUP]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: Udfs؅గ坓牤窈摐뤸粰台台, IRP_MJ_PNP]
Process: System Address: 0x87038de0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CREATE]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLOSE]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_READ]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_WRITE]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_EA]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_EA]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_CLEANUP]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: meiudf, IRP_MJ_PNP]
Process: System Address: 0x86e24eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x87078eb0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8712aaf0 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x873d1708 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x873d1eb0 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x873d10e8 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_CREATE]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_CLOSE]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_POWER]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: KR10N, IRP_MJ_PNP]
Process: System Address: 0x873d19c0 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x871afbb8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x871afbb8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871afbb8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871afbb8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x871afbb8 Size: -

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x871afbb8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8731e7a8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x87081af0 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_CREATE]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_CLOSE]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_READ]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_WRITE]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_CLEANUP]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Npfs؅扏煓؁ః扏济TermDD, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87196d18 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_CREATE]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_CLOSE]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_READ]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_WRITE]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_CLEANUP]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: Msfs؅䵃؁ం䵃䥖鲠!錩؂క扏捓, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86fe8450 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_CREATE]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_CLOSE]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_READ]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_CLEANUP]
Process: System Address: 0x86e35eb0 Size: -

Object: Hidden Code [Driver: CdfsЅఋ浗灩, IRP_MJ_PNP]
Process: System Address: 0x86e35eb0 Size: -
Back to Am I infected? What do I do?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Am I infected? What do I do?
  4. Privacy Policy
  5. Rules ·