Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TrojanHorseGeneric13ATPH [Moved]


  • This topic is locked This topic is locked
19 replies to this topic

#1 SpiderGat

SpiderGat

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 09 July 2009 - 01:45 PM

Hello there!

In my recent ventures in cyberspace in the incredibly unsafe lands of ThePirateBay sites and the like, I have acquired a trojan. The only one that AVG picks up is 13ATPH but I know I have another one somewhere. It told me what it was, but the window closed before I could write it down. A short name with a K in it.. I know that doesn't help, but at least I know it's there. I've scanned with AVG and it brings up the infections but can not remove all of them. Also it does not bring up the infection that I know is in there somewhere.

I was searching through the forums in case someone else had my problem and so that I wouldn't have to bother the admins or the help professionals, but then I remembered that everyone's infection is unique and that I'd like to keep my system from dying by my hands >.<

I have HijackThis, Mbam, Combofix already installed on my computer. But will need instruction, or a link to instructions on which to run, when to run, like in the other posts I've read. I will follow all directions to a T and will not deviate unless told to do so. I've bookmarked this page and will be checking about every 10 minutes since my computer that is infected is important to me. I've dis-connected the infected computer from the rest of the network just in case it was the type of infection that creeps.

When I try to run programs like Mbam or any other virus scanner the process starts but the program does not. The hourglass comes up for about 4 seconds and then dissapears. I can press Ctrl Alt Delete and see it there, but the program is non-functioning. Tried renaming them and still no luck.

I eagerly await a reply! Thanks in advance for any help you have to offer!

George

Edited by SpiderGat, 09 July 2009 - 01:49 PM.


BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,693 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:12 PM

Posted 09 July 2009 - 09:43 PM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 09 July 2009 - 09:53 PM

Well i wasn't posting the log because that computer gets internet through the other computers in my network which have sensitive information. I didn't know if it was ok for it to be connected to the internet
I read the BEFORE YOU POST thing but I was unclear about the spreadability of this trojan.

Sorry for the trouble.

Spider

#4 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 10 July 2009 - 12:38 AM

Ok well now that I am here will I be recieving help? I didn't follow the directions for posting the lists because I am not confident in my abbilites and needed reassurance. And now I feel like I'm being penalized for waiting for instructions. Had someone posted. Hey why haven't you done this, I would have explained as I am now and maybe someone would have started me on my journey to infection free living.

I'm not trying to yell at the devs or anything malicious like that, I would just like help with my problem. I know I'm no more important than the others here searching for answers, however, I do feel that I am no less important just because I didn't post a log. The problem I have is very real and very there and this is why I didn't post in the Am I infected? section in the first place. I am just seeking guidance. Any help now would be greatly appreciate, but I don't know if this area is read more or less than the other one and I have deadlines coming up soon.
I know I shouldn't have been randomly skipping about the web in the first place if I didn't want to get something like this but I was on a free image (jpg. type of image) hosting site made by the people who made ThePirateBay. I learned my lesson but I still need help! I'm tempted to follow the directions now and post the list even though I haven't been instructed to, but I feel I might be penalized further. And also if I try to download anything on that computer it crashes so I'll have to transfer all files via thumb drive.

Thanks in advance for any help.
George

#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:12 PM

Posted 10 July 2009 - 05:03 PM

Please read the PM I sent

If you have access to a non-infected computer, you can burn this tool to a CD or download to a flash drive


SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 10 July 2009 - 05:52 PM

Scans in progress :thumbsup:
Will post logs as soon as they are complete.

ETA ~1-2 Hours

#7 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 10 July 2009 - 06:30 PM

Completed Scan with MBAM. Results below. Tried to install SAS and it came up with "SuperAntiSpyware has encountered a problem and needs to close. Sorry for the inconv..." Mbam results are weird as no threats were detected. However something interesting. I use a program to build maps for Call of Duty 4 and the Program used to compile the levels refuses to respond anymore as well. Mallevolent-nes?

Malwarebytes' Anti-Malware 1.31
Database version: 1604
Windows 5.1.2600 Service Pack 3

7/10/2009 6:23:11 PM
mbam-log-2009-07-10 (18-23-11).txt

Scan type: Full Scan (C:\|X:\|)
Objects scanned: 402756
Time elapsed: 33 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Do you want a DDS report? I am going to try downloading SAS again and installing once more.



Downloaded fresh copy of SAS. Tried installing again on my computer. Same error. Tried installing fresh copy on this computer (clean) started up immediately.

Edited by SpiderGat, 10 July 2009 - 06:35 PM.


#8 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 10 July 2009 - 06:48 PM

Also just looked back over my AVG scans from yesterday when the infection first happened.

First scan:
C\Documents and settings\MyUserName\ApplicationData\pridl\pridl.exe. (AVG said this was a trojan Horse Downloader Generic 8.AZ8V. It is supposedly in my AVG virus vault.)

Second scan ~10 minutes later:

It found 3 locked files and said they were "not tested"

also

Globalroot\systemroot\system32\UACdwaxcteiciqgopmwb.dll

C\Windows\Explorer.exe(432)
C\Windows\system32\svchost.exe(1580)
C\Windows\system32\svchost.exe(3784)

All of these were of the THG13ATPH kind.

Edited by SpiderGat, 10 July 2009 - 06:48 PM.


#9 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:12 PM

Posted 10 July 2009 - 07:29 PM

Do not post the DDS log here

Globalroot\systemroot\system32\UACdwaxcteiciqgopmwb.dll
Does not look promising but let's try one more thing


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 10 July 2009 - 09:48 PM

Virus scan not done yet. Preliminary quick scan found an object which it deleted. I wrote it down in the other room. Something with net.net and click. I started the complete scan and hit yes to all once it came up however it appears to have stalled on a file. I'm not touching it but was just looking for reassurance as to whether or not it is usual for a full scan to pause on a file. the file is from a game I play and does not look mallevolent. Also before it appeared to have stalled, it said ComboFix.exe was infected and proceeded to quarantine it. This is just an update with the question about stalling. I will post the log as soon as it finishes. If it ever does. In the event it stalls completely please tell me what I should do! Thanks so much for all the help!

George


EDIT: The file it is stuck on is the installer for a mod for battlefield 2 realism Mod. The file is a .exe and is about 4 gigs in size. Is the scanner checking the entire thing?

Edit Edit: The scanner has moved on. Will post when scan is complete.

Edited by SpiderGat, 10 July 2009 - 10:14 PM.


#11 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 11 July 2009 - 11:48 AM

Scan finished with Drweb. Could not restart because some of the infected objects are neither cured or able to be moved. I saved the report and left the program running and am awaiting further instructions. DrWeb found 14 infections.

DrWeb Log
ship_wall_stain3;C:\Documents and Settings\George N. Cahill IV\Desktop\MODS-UPDATES\COD4 mods\cod4mw_modtools_v1\raw\material_properties;Modification of Win95.Kamikaze.1543;Moved.;
ship_wall_stain3;C:\Documents and Settings\George N. Cahill IV\Desktop\MODS-UPDATES\COD4 mods\mod tools\raw\material_properties;Modification of Win95.Kamikaze.1543;Moved.;
ship_wall_stain3;C:\Drive I\Copy of Activision\Call of Duty 4 - Modern Warfare\raw\material_properties;Modification of Win95.Kamikaze.1543;Moved.;
Combofix.exe;C:\Documents and Settings\George N. Cahill IV\Desktop;Container contains infected objects;Moved.;
VirtumundoBeGone.exe;C:\Documents and Settings\George N. Cahill IV\Desktop\HEALTHCARE\bleep ASS;Archive contains infected objects;Moved.;
UACdwaxcteiciqgopmwb.dll;C:\WINDOWS\system32;Trojan.Packed.365;;
VirtumundoBeGone.exe\data005;C:\Documents and Settings\George N. Cahill IV\Desktop\HEALTHCARE\bleep ASS\VirtumundoBeGone.exe;Tool.Prockill;;
Combofix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\George N. Cahill IV\Desktop\Combofix.exe/data002;Program.PsExec.171;;

bucksnet.tmp;C:\Documents and Settings\George N. Cahill IV\Local Settings\Temp;Trojan.DownLoader.50219;Deleted.;
maccsnet.tmp;C:\Documents and Settings\George N. Cahill IV\Local Settings\Temp;Trojan.DownLoad.40014;Deleted.;
net.net;c:\windows\system32;Trojan.Click.25308;Deleted.;
nemsorawcx.tmp;C:\Documents and Settings\George N. Cahill IV\Local Settings\Temp;Trojan.Click.25308;Deleted.;
prun.tmp;C:\Documents and Settings\George N. Cahill IV\Local Settings\Temp;Trojan.Click.25308;Deleted.;
UACirvonfonlgexxqlrn.dll;C:\WINDOWS\system32;BackDoor.Tdss.49;Deleted.;
hjgruiunbboltl.dll;C:\WINDOWS\system32;BackDoor.Tdss.265;Deleted.;
UAChxsrcjnpyvyogdamr.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
data002;C:\Documents and Settings\George N. Cahill IV\Desktop;Archive contains infected objects;;


The bolded ones are the ones that could not be cured or deleted. Sorry about the format for some reason this computer won't read my notepad format from the other computer as it comes over as a spreadsheet XLS format.

I'm hoping those back door entries aren't as scary as they sound...

George

#12 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 11 July 2009 - 11:50 AM

Did not mean to double post. Accidentally did while trying to fix my previous post >.< Sorry. I can't believe it infected textures from my COD4 Map maker...

Edited by SpiderGat, 11 July 2009 - 11:56 AM.


#13 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:12 PM

Posted 11 July 2009 - 01:47 PM

Let's try one more thing before we move you to the HJT forum


Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#14 SpiderGat

SpiderGat
  • Topic Starter

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 11 July 2009 - 02:06 PM

RootRepeal Report as per request.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/11 14:01
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB644B000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA63C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dwshd.sys
Image Path: dwshd.sys
Address: 0xB9CEF000 Size: 183424 File Visible: No Signed: -
Status: -

Name: hjgruidqqbleiw.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruidqqbleiw.sys
Address: 0xB66F8000 Size: 163840 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: PCI_PNP4656
Image Path: \Driver\PCI_PNP4656
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5156000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sppt.sys
Image Path: sppt.sys
Address: 0xB9EA6000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: UACudlbpbbswfbtdushf.sys
Image Path: C:\WINDOWS\system32\drivers\UACudlbpbbswfbtdushf.sys
Address: 0xB66E4000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\hjgruiqumcgqws.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACamqfuigitusfyfgxo.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACdwaxcteiciqgopmwb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACoxuhtwnjlragsynig.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uactmp.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwdlbljftjmkmvefyq.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACxkibnotfngtnaotyq.db
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruirpafgixd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiunbboltl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiwybsrdtr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\UAC68.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruidqqbleiw.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACudlbpbbswfbtdushf.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\DoctorWeb\Quarantine\UACdwaxcteiciqgopmw0.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\DoctorWeb\Quarantine\UACdwaxcteiciqgopmw1.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\DoctorWeb\Quarantine\UACdwaxcteiciqgopmw2.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\DoctorWeb\Quarantine\UACdwaxcteiciqgopmwb.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\Local Settings\Temp\UAC4cd8.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\Application Data\Mozilla\Firefox\Profiles\1578lmsg.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\George N. Cahill IV\My Documents\Battlefield 2\mods\bf2\cache\{D7B71E3E-4551-11CF-C257-1BA003C2CB35}_2965_2\rashaderbmhasuvanimationhasnormalmaphasgimaphasenvmapusehemimaphasshadowhascolormapglosshasdot3alphatesthasshadowocclusion.cfx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\George N. Cahill IV\My Documents\Battlefield 2\mods\bf2\cache\{D7B71E3E-4551-11CF-C257-1BA003C2CB35}_2965_3\rashaderbmhasuvanimationhasnormalmaphasgimaphasenvmapusehemimaphasshadowhascolormapglosshasdot3alphatesthasshadowocclusion.cfx
Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACwdlbljftjmkmvefyq.dll]
Process: svchost.exe (PID: 1320) Address: 0x00740000 Size: 73728

Object: Hidden Module [Name: UAC68.tmpuhtwnjlragsynig.dll]
Process: svchost.exe (PID: 1320) Address: 0x009c0000 Size: 204800

Object: Hidden Module [Name: UACdwaxcteiciqgopmwb.dll]
Process: svchost.exe (PID: 1320) Address: 0x00b80000 Size: 81920

Object: Hidden Module [Name: hjgruiqumcgqws.dll]
Process: svchost.exe (PID: 1320) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: svchost.exe (PID: 1428) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: svchost.exe (PID: 1788) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: svchost.exe (PID: 1880) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: svchost.exe (PID: 304) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: aawservice.exe (PID: 444) Address: 0x00e40000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: Explorer.EXE (PID: 748) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: spoolsv.exe (PID: 952) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: avgtray.exe (PID: 1532) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: LGDCore.exe (PID: 1544) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: LCDMon.exe (PID: 1552) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: jusched.exe (PID: 1568) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: HPWuSchd.exe (PID: 1608) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: hpztsb09.exe (PID: 1628) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: LCDClock.exe (PID: 1656) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: LCDMedia.exe (PID: 1684) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: RTHDCPL.EXE (PID: 1700) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: razerhid.exe (PID: 1768) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: uGuru.exe (PID: 1916) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: ctfmon.exe (PID: 1984) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: svchost.exe (PID: 636) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: avgwdsvc.exe (PID: 1508) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: mDNSResponder.exe (PID: 1616) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: DkService.exe (PID: 1864) Address: 0x00a50000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: nTuneService.exe (PID: 1708) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: razerofa.exe (PID: 2204) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: nvsvc32.exe (PID: 2228) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: avgrsx.exe (PID: 2264) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: avgnsx.exe (PID: 2272) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: PnkBstrA.exe (PID: 2372) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: PnkBstrB.exe (PID: 2416) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: avgemc.exe (PID: 2700) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: avgcsrvx.exe (PID: 2980) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: wmiprvse.exe (PID: 3644) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: svchost.exe (PID: 3040) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: ALCFDRTM.EXE (PID: 3660) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: firefox.exe (PID: 2180) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: wuauclt.exe (PID: 780) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: wuauclt.exe (PID: 2688) Address: 0x10000000 Size: 32768

Object: Hidden Module [Name: hjgruiunbboltl.dll]
Process: RootRepeal.exe (PID: 340) Address: 0x10000000 Size: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8af471f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8ac401f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_CREATE]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_CLOSE]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_POWER]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: Win, IRP_MJ_PNP]
Process: System Address: 0x8abe11f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CREATE]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_CLOSE]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_POWER]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: JRAID, IRP_MJ_PNP]
Process: System Address: 0x8af481f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8af491f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8aced1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8aed81f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8ab6a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8ab6a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab6a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab6a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab6a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8ab6a1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8acec500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a1da500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_CREATE]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_CLOSE]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_READ]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1c4500 Size: 121

Object: Hidden Code [Driver: CdfsЅఅ瑎獆, IRP_MJ_PNP]
Process: System Address: 0x8a1c4500 Size: 121

Hidden Services
-------------------
Service Name: hjgruiqtfjjuka
Image Path: C:\WINDOWS\system32\drivers\hjgruidqqbleiw.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACudlbpbbswfbtdushf.sys

==EOF==

#15 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:12 PM

Posted 11 July 2009 - 07:18 PM

Uninstall Mbam
Open Root Repeal and in the window hightlighr these two entries with you mouse

C:\WINDOWS\system32\drivers\hjgruidqqbleiw.sys
C:\WINDOWS\system32\drivers\UACudlbpbbswfbtdushf.sys

Select the Wipe Files option only then immediately reboot the computer!



Next install and update MBAM and run a quick scan!

Allow it to delete what it detects and reboot immediately.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users