Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DHCP client appears as asterisk and rootkitrevealer


  • Please log in to reply
12 replies to this topic

#1 Soulgain

Soulgain

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 03 June 2009 - 01:26 PM

Hello, lately I've been noticing a strange DHCP client listed as *, on my network. If I filter it, I cant connect to the internet. I know its not my own modem due to the fact that the MAC addresses do not match whatsoever. Maybe it's something silly, but I just want to make sure. I'm running on a Linksys WRT54G.

Also, I ran rootkit revealer and found some locked registry keys and files. I'm not sure what to do with those.

Posted Image


Also, I have a driver called spgy.sys hooked to several SSDT's. A google search on spgy.sys brought completely irrelevant results.

Edited by Soulgain, 03 June 2009 - 01:29 PM.


BC AdBot (Login to Remove)

 


#2 Supreme Edgeboy Max

Supreme Edgeboy Max

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Krym, Ukraine
  • Local time:05:50 PM

Posted 03 June 2009 - 03:37 PM

Hi hi.
Let's see what Malwarebytes Anti-Malware can do about those registry files.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Posted Image


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 03 June 2009 - 03:49 PM

Can you post the root reveal log,also?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Soulgain

Soulgain
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 04 June 2009 - 12:04 PM

Malwarebytes' Anti-Malware 1.37
Database version: 2229
Windows 5.1.2600 Service Pack 3

6/4/2009 1:18:14 PM
mbam-log-2009-06-04 (13-18-14).txt

Scan type: Quick Scan
Objects scanned: 89631
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I cant provide a rootkit revealer log, because everytime I try to save the .txt it gives me a windows error and closes.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 04 June 2009 - 02:23 PM

That's OK let's do our own ..

Please run RootRepeal - Rootkit Detector

Please download: RootRepeal .
Direct download link is here: RootRepeal.rar.
If you need a program to open a .RAR compressed file. Download a trial version from here: WinRAR.

Extract the program file to a new folder such as C:\RootRepeal.
Run RootRepeal.exe and go to the REPORT tab and click the Scan button.
Select ALL of the checkboxes and then click OK and the scan will start.
If you have multiple drives you only need to check the C: drive or the drive which Windows is installed to.
When done, click on Save Report.
Save it to the same location where you ran it from above, such as C:\RootRepeal
Save it as your_name_rootrepeal.txt - where your_name is your forum name
This makes it more easy to track who the log belongs to.
Now open that log and select all and copy/paste it back on your next reply please.
Quit the RootRepeal program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Soulgain

Soulgain
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 05 June 2009 - 10:58 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/05 12:49
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xABBDB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA610000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_PNP0608
Image Path: \Driver\PCI_PNP0608
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA959D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sple.sys
Image Path: sple.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\perflib_perfdata_100.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\cabal\local settings\temp\etilqs_ensilstzqfnhtf2yjzta
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\documents and settings\cabal\local settings\temp\~df44c7.tmp
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\cabal\local settings\temp\~dfc0fb.tmp
Status: Allocation size mismatch (API: 229376, Raw: 180224)

Path: c:\documents and settings\cabal\local settings\temp\~dfdcdd.tmp
Status: Allocation size mismatch (API: 225280, Raw: 180224)

Path: C:\Documents and Settings\Cabal\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Cabal\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: c:\documents and settings\cabal\local settings\application data\mozilla\firefox\profiles\cbiaqrzb.default\cache\d120ff96d01
Status: Size mismatch (API: 7077888, Raw: 6422528)

Path: C:\Documents and Settings\OneWingedAng\Local Settings\Application Data\Microsoft\Messenger\butipoopfromthere_notrightnowyoudont@hotmail.com\SharingMetadata\cachila2000@hotmail.com\DFSR\Staging\CS{F2F4E040-5FED-C662-DA5A-3C5A37F8D2FF}\01\11-{F2F4E040-5FED-C662-DA5A-3C5A37F8D2FF}-v1-{E35AC95B-76B0-4185-BC1D-49271A52586C}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\OneWingedAng\Local Settings\Application Data\Microsoft\Messenger\butipoopfromthere_notrightnowyoudont@hotmail.com\SharingMetadata\elshocker2@hotmail.com\DFSR\Staging\CS{D653CEF3-4ADE-92A8-743C-AFAAD10F5BF8}\01\12-{D653CEF3-4ADE-92A8-743C-AFAAD10F5BF8}-v1-{E35AC95B-76B0-4185-BC1D-49271A52586C}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\OneWingedAng\Local Settings\Application Data\Microsoft\Messenger\butipoopfromthere_notrightnowyoudont@hotmail.com\SharingMetadata\elshocker2@hotmail.com\DFSR\Staging\CS{D653CEF3-4ADE-92A8-743C-AFAAD10F5BF8}\11\11-{C5FBB2AF-F557-4561-9DAF-185A8160FA9F}-v11-{C5FBB2AF-F557-4561-9DAF-185A8160FA9F}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\OneWingedAng\Local Settings\Application Data\Microsoft\Messenger\butipoopfromthere_notrightnowyoudont@hotmail.com\SharingMetadata\kuraiseiza@hotmail.com\DFSR\Staging\CS{1D451E13-4D9D-0ABA-B163-1FFB6A89C912}\01\10-{1D451E13-4D9D-0ABA-B163-1FFB6A89C912}-v1-{E35AC95B-76B0-4185-BC1D-49271A52586C}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Program Files\Java\jdk1.6.0_10\sample\jmx\jmx-scandir\src\com\sun\jmx\examples\scandir\config\DirectoryScannerConfig.java:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Program Files\Java\jdk1.6.0_10\sample\jmx\jmx-scandir\src\com\sun\jmx\examples\scandir\config\DirectoryScannerConfig.java:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Program Files\Java\jdk1.6.0_10\sample\jmx\jmx-scandir\src\com\sun\jmx\examples\scandir\config\DirectoryScannerConfig.java:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Program Files\Java\jdk1.6.0_10\sample\jmx\jmx-scandir\src\com\sun\jmx\examples\scandir\config\DirectoryScannerConfig.java:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sple.sys" at address 0xb9ea80e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sple.sys" at address 0xb9ec6ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sple.sys" at address 0xb9ec7030

#: 119 Function Name: NtOpenKey
Status: Hooked by "sple.sys" at address 0xb9ea80c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sple.sys" at address 0xb9ec7108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sple.sys" at address 0xb9ec6f88

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sple.sys" at address 0xb9ec719a

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a9621f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a26c500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_CREATE]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_CLOSE]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_POWER]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: a9q0v9mkЅః灐畳HidUsb, IRP_MJ_PNP]
Process: System Address: 0x8a7dc500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a7d7500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a7cb500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a9641f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_CREATE]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_CLOSE]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_POWER]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: nvgts, IRP_MJ_PNP]
Process: System Address: 0x8a9631f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89f4a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89f4a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f4a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f4a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89f4a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89f4a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a7cc500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89f2e1f8 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_CREATE]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_CLOSE]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_READ]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_CLEANUP]
Process: System Address: 0x8a773408 Size: 121

Object: Hidden Code [Driver: CdfsЅః扏济ApiPortကЃఈ潉济, IRP_MJ_PNP]
Process: System Address: 0x8a773408 Size: 121

Hidden Services
-------------------
Service Name: 󤝾鉻D001
Image Path: C:\Documents and Settings\OneWingedAng\My Documents\VE5 1032\nvid999.sys

Service Name: eep檘de1
Image Path: C:\Documents and Settings\OneWingedAng\My Documents\VE5 1032\nvid999.sys

==EOF==

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 05 June 2009 - 03:48 PM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\Program Files\Java\jdk1.6.0_10\sample\jmx\jmx-scandir\src\com\sun\jmx\examples\scandir\config\DirectoryScannerConfig.java:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

there may be 4 of them


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


NEXT Rerun MBAM like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 05 June 2009 - 03:49 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Soulgain

Soulgain
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 05 June 2009 - 05:25 PM

Malwarebytes' Anti-Malware 1.37
Database version: 2234
Windows 5.1.2600 Service Pack 3

6/5/2009 7:11:26 PM
mbam-log-2009-06-05 (19-11-26).txt

Scan type: Quick Scan
Objects scanned: 89135
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I couldnt wipe those files. Everytime I tried, itd tell that they didnt exist on the local disk.

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 05 June 2009 - 07:37 PM

Before posting, please note that RKR 1.71 now scans the HKLM\Security security hive. As a consequence it finds keys with trailing nulls such as

HKLM\Security\Policy\Secrets\SAC*
HKLM\Security\Policy\Secrets\SAI*

This is normal behaviour and need not be cause for alarm.


Let's just double check the others with GMER.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Soulgain

Soulgain
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 06 June 2009 - 12:07 PM

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-06 14:03:28
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spjx.sys ZwCreateKey [0xB9EA80E0]
SSDT spjx.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spjx.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spjx.sys ZwOpenKey [0xB9EA80C0]
SSDT spjx.sys ZwQueryKey [0xB9EC7108]
SSDT spjx.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spjx.sys ZwSetValueKey [0xB9EC719A]

INT 0x62 ? 8A9D0BF8
INT 0x73 ? 8A9D2BF8
INT 0x73 ? 8A7EEBF8
INT 0x73 ? 8A9D2BF8
INT 0x83 ? 8A9D2BF8
INT 0x83 ? 8A7EEBF8
INT 0x83 ? 8A9D2BF8

---- Kernel code sections - GMER 1.0.15 ----

? spjx.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B9C4D8AC 5 Bytes JMP 8A7EE1D8
.text acul9zph.SYS B903C386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text acul9zph.SYS B903C3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text acul9zph.SYS B903C3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text acul9zph.SYS B903C3C9 1 Byte [2E]
.text acul9zph.SYS B903C3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\FreeMem Standard\freemem.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10005AF0 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll
.text C:\Documents and Settings\Cabal\Desktop\3s6w5d4n.exe[1424] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 10005AF0 C:\Program Files\Ray Adams\ATI Tray Tools\raphook.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spjx.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spjx.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spjx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spjx.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spjx.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spjx.sys
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!KfAcquireSpinLock] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!READ_PORT_UCHAR] 8D3F0304
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!KeGetCurrentIrql] CB033043
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!KfRaiseIrql] 0673C13B
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!KfLowerIrql] C13B0003
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!HalGetInterruptVector] 8366FA72
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!HalTranslateBusAddress] 75000E7B
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!KeStallExecutionProcessor] 0B7D80E3
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!KfReleaseSpinLock] 307B8D00
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00AA840F
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 6A000E7A
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[HAL.dll!WRITE_PORT_UCHAR] C6647400
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[WMILIB.SYS!WmiSystemControl] 4F8B0200
IAT \SystemRoot\System32\Drivers\acul9zph.SYS[WMILIB.SYS!WmiCompleteRequest] 968D5140

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A9621F8
Device \FileSystem\Fastfat \FatCdrom 8A2851F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E6EA7144-6C81-4738-BCB7-F25E3DC62E32} 89F541F8
Device \Driver\usbohci \Device\USBPDO-0 8A7CA500
Device \Driver\usbehci \Device\USBPDO-1 8A7CB500
Device \Driver\PCI_PNP9520 \Device\00000063 spjx.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9641F8
Device \Driver\Cdrom \Device\CdRom0 8A7D8500
Device \Driver\Cdrom \Device\CdRom1 8A7D8500
Device \Driver\Cdrom \Device\CdRom2 8A7D8500
Device \Driver\Cdrom \Device\CdRom3 8A7D8500
Device \Driver\NetBT \Device\NetBt_Wins_Export 89F541F8
Device \Driver\NetBT \Device\NetbiosSmb 89F541F8
Device \Driver\usbohci \Device\USBFDO-0 8A7CA500
Device \Driver\usbehci \Device\USBFDO-1 8A7CB500
Device \Driver\sptd \Device\4271374520 spjx.sys
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89F3C1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89F3C1F8
Device \Driver\Ftdisk \Device\FtControl 8A9641F8
Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path1Target1Lun0 8A9631F8
Device \Driver\acul9zph \Device\Scsi\acul9zph1Port5Path0Target0Lun0 8A6C5500
Device \Driver\nvgts \Device\Scsi\nvgts1 8A9631F8
Device \Driver\nvgts \Device\Scsi\nvgts2 8A9631F8
Device \Driver\acul9zph \Device\Scsi\acul9zph1 8A6C5500
Device \FileSystem\Fastfat \Fat 8A2851F8
Device \FileSystem\Cdfs \Cdfs 8A7411F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0xE8 0x9C 0x5D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF8 0xB7 0xE6 0x26 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7C 0x16 0xE8 0x9C ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x7A 0x83 0xDF 0x58 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0xE8 0x9C 0x5D ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF8 0xB7 0xE6 0x26 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7C 0x16 0xE8 0x9C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x7A 0x83 0xDF 0x58 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0xE8 0x9C 0x5D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF8 0xB7 0xE6 0x26 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7C 0x16 0xE8 0x9C ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x7A 0x83 0xDF 0x58 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0xE8 0x9C 0x5D ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF8 0xB7 0xE6 0x26 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7C 0x16 0xE8 0x9C ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x7A 0x83 0xDF 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0xE8 0x9C 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF8 0xB7 0xE6 0x26 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7C 0x16 0xE8 0x9C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x7A 0x83 0xDF 0x58 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0xCB 0x3F 0x6B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF2 0x43 0x15 0x52 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE3 0xBB 0x06 0x69 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0xE8 0x9C 0x5D ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF8 0xB7 0xE6 0x26 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x64 0x62 0x02 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x7C 0x16 0xE8 0x9C ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg42@ujdew 0x7A 0x83 0xDF 0x58 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0xCB 0x3F 0x6B ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF2 0x43 0x15 0x52 ...
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE3 0xBB 0x06 0x69 ...

---- EOF - GMER 1.0.15 ----

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 06 June 2009 - 09:20 PM

Hi this looks good now. Any more indications or symptoms of infection?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Soulgain

Soulgain
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:50 AM

Posted 06 June 2009 - 09:43 PM

Nothing so far. Just wanted to make sure if those entries I was getting were dangerous or not. Thanks for the help.

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:50 AM

Posted 06 June 2009 - 09:53 PM

Ok ,all looks good there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users