Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC unclean, probably malware, viruses, etc...


  • Please log in to reply
5 replies to this topic

#1 LogicAudio

LogicAudio

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 13 July 2009 - 07:18 PM

Hello.

New Listener, First time caller. :thumbsup:

I read most of the forums info before posting, and hope I am clear, precise to the point, and within the forums guidelines. Please excuse me if I forgot important info ahead of time.

So here goes a brief history of whats been happening. I'll try to remember everything I can...

So the PC picked up some viruses/malware or whatnot a few weeks ago. Some were picked up simply from browsing sites... and others probably from my brother using torrent sites.... either way the PC got infested.

Avira is currently installed on the PC and picked up on these and quarantined and deleted what I hope were all of the problems. Just incase it did not, I used 2 online virus scanners, one of them being HouseCall, and another I don't recollect at this time. I also used Spyware Doctor, and Ad-aware, and regedit.

Most of them picked up on problems, deleted, fixed or quarantined them. Now this is were more problems occurred. Now every time I loaded Windows, the Theme changed to the old Classic Style. I had lost the Xp Theme Style. I googled and tried some solutions, but some seemed to make things worst... and I noticed I had somehow lost administration/access to certain options.

I could not replace or remove "write only" options, and a few weird things I forget at this time. Now that's not all... "sigh"

At one point I noticed I was being redirected to false websites, and false virus warning sites... More problems starting occurring, and new viruses appeared on Avira.

On a related note, when trying to transfer files from my PC to my Laptop for some unrelated reason, I noticed my networking stopped working as well. I apologize for not remembering the actual system error, but I had lost rights and access to networking altogether. I was loosing administrating rights, left and right.

Kept scanning my PC using the software I mentioned, and kept running in circles.... till today things got worst, I lost all EXE associations... took me some googling, but got that fixed. So now I'm really tired and getting discouraged. I had bumped into these forums a few times during my searches, and decided to come to you fine people for help.

So this is were I'm at now... I'm still having issues with administrating rights, still having the Classic Windows Theme after each reboot, and still getting redirected to other false websites. In other words a real mess. If anyone could help, it would be greatly appreciated.

Thanks in advance.

LogicAudio

Edited by LogicAudio, 13 July 2009 - 09:04 PM.


BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:40 AM

Posted 13 July 2009 - 09:39 PM

Hi and welcome to BleepingComputer :thumbsup:

Let's try Malwarebytes.

The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Note 2:
-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes. To disable these programs, please view this topic: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 LogicAudio

LogicAudio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 15 July 2009 - 01:09 AM

Thanks for responding.

Things did not quite occur as you mentioned, but I think I got it right. Updated, did the quick scan, it found 7, removed, and rebooted on requests.

Here's the info.

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 5.1.2600 Service Pack 3

7/15/2009 2:02:21 AM
mbam-log-2009-07-15 (02-02-21).txt

Scan type: Quick Scan
Objects scanned: 92255
Time elapsed: 3 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\flashd32.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{38101905-d80f-4788-96f6-986a8186178a} (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pcmstub (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{38101905-d80f-4788-96f6-986a8186178a} (Spyware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\flashd32.dll (Spyware.Agent) -> Delete on reboot.
c:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:40 AM

Posted 15 July 2009 - 07:31 AM

Next Step...

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 LogicAudio

LogicAudio
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:40 AM

Posted 16 July 2009 - 02:10 AM

Thanks again...

Ok I tried to download it, but the link you gave me did not work, so from the same site I downloaded the rootrepeal.rar file.

When I ran Rootrepeal i got this error "invalid PE image found!"

I continued with the scan regardless, and here is the report.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/15 21:36
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000045
Image Path: \Driver\00000045
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\windows\System32\Drivers\dump_atapi.sys
Address: 0xAA7E9000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA60E000 Size: 8192 File Visible: No Signed: -
Status: -

Name: hjgruivdotbwkm.sys
Image Path: C:\windows\system32\drivers\hjgruivdotbwkm.sys
Address: 0xAAB68000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\windows\system32\drivers\rootrepeal.sys
Address: 0xA815D000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\hjgruiidyuyrul.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiorgdnddt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruipohjysay.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiqjbivkba.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruidxwhevidof.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruinalvwjsnqo.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruivdotbwkm.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\luke\local settings\temp\etilqs_bzvbldmwnyltui9oqalh
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Luke\Local Settings\temp\fla1B.tmp
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\luke\application data\azureus\tmp\azu32945.tmp
Status: Size mismatch (API: 32333, Raw: 32252)

Path: c:\documents and settings\luke\application data\azureus\active\811a07afe3ba1400089571261062928c6f12d511.dat
Status: Size mismatch (API: 32941, Raw: 32721)

Path: c:\documents and settings\luke\application data\azureus\active\811a07afe3ba1400089571261062928c6f12d511.dat.bak
Status: Size mismatch (API: 32731, Raw: 32592)

Path: c:\documents and settings\luke\application data\azureus\active\92ec2f7ba58136dc918eac65ec93151c2fd37d1e.dat
Status: Size mismatch (API: 20614, Raw: 20267)

Path: c:\documents and settings\luke\application data\azureus\active\92ec2f7ba58136dc918eac65ec93151c2fd37d1e.dat.bak
Status: Size mismatch (API: 20302, Raw: 20036)

Path: C:\Documents and Settings\Luke\Application Data\Azureus\active\04EF964Ad01
Status: Locked to the Windows API!

Path: c:\documents and settings\luke\application data\azureus\active\e023b1455d8de17d81624c66f8fd4994d7661601.dat.bak
Status: Size mismatch (API: 29040, Raw: 28840)

Path: C:\Documents and Settings\Luke\Application Data\Azureus\net\sessionstore.js
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Local Settings\Apps\2.0\547DY0LN.G5H\0RLXE122.RG0\manifests\AA2Deploy.exe.cdf-ms
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Local Settings\Apps\2.0\547DY0LN.G5H\0RLXE122.RG0\manifests\AA2Deploy.exe.manifest
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Messenger\Luketheyouth@gmail.com\SharingMetadata\princessbollywood@hotmail.com\DFSR\Staging\CS{CAD89947-B5FD-7929-F4D5-FF6714677BFA}\01\11-{CAD89947-B5FD-7929-F4D5-FF6714677BFA}-v1-{2E30DFF6-DBB2-46CB-9923-5BD229D3E930}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Messenger\Luketheyouth@gmail.com\SharingMetadata\princessbollywood@hotmail.com\DFSR\Staging\CS{CAD89947-B5FD-7929-F4D5-FF6714677BFA}\12\12-{88C85356-430E-4763-B570-220D0986CBE2}-v12-{88C85356-430E-4763-B570-220D0986CBE2}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\Local Settings\Application Data\Microsoft\Messenger\Luketheyouth@gmail.com\SharingMetadata\princessbollywood@hotmail.com\DFSR\Staging\CS{CAD89947-B5FD-7929-F4D5-FF6714677BFA}\14\14-{88C85356-430E-4763-B570-220D0986CBE2}-v14-{88C85356-430E-4763-B570-220D0986CBE2}-v14-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Luke\My Documents\Battlefield 2\LogoCache\i38.piczo.com\view\2\t\o\d\l\d\p:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Luke\My Documents\Battlefield 2\LogoCache\i38.piczo.com\view\2\t\o\d\l\d\p:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Luke\My Documents\Battlefield 2\LogoCache\i38.piczo.com\view\2\t\o\d\l\d\p:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: winlogon.exe (PID: 816) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: services.exe (PID: 868) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: lsass.exe (PID: 880) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: Ati2evxx.exe (PID: 1096) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiidyuyrul.dll]
Process: svchost.exe (PID: 1116) Address: 0x008e0000 Address: 57344

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: svchost.exe (PID: 1116) Address: 0x00fc0000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: svchost.exe (PID: 1116) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: svchost.exe (PID: 1200) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: svchost.exe (PID: 1324) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: Ati2evxx.exe (PID: 1368) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: svchost.exe (PID: 1596) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: svchost.exe (PID: 1732) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: AAWService.exe (PID: 1800) Address: 0x00d10000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: spoolsv.exe (PID: 1996) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: Explorer.EXE (PID: 2008) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: sched.exe (PID: 216) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: avguard.exe (PID: 408) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: jqs.exe (PID: 584) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: PnkBstrA.exe (PID: 696) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: svchost.exe (PID: 952) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: unsecapp.exe (PID: 2124) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: wmiprvse.exe (PID: 2316) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruidxwhevidof.tmpll]
Process: alg.exe (PID: 2328) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: ZboardTray.exe (PID: 2752) Address: 0x00b80000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: RTHDCPL.EXE (PID: 2760) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: realsched.exe (PID: 2776) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: avgnt.exe (PID: 2796) Address: 0x003f0000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: jusched.exe (PID: 2884) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: wuauclt.exe (PID: 2900) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: Zboard.exe (PID: 2932) Address: 0x00c00000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: ctfmon.exe (PID: 2972) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: GoogleToolbarNotifier.exe (PID: 3092) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: msmsgs.exe (PID: 3116) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: SUPERAntiSpyware.exe (PID: 3172) Address: 0x04cb0000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: TeaTimer.exe (PID: 3240) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: RegMech.exe (PID: 3268) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: AAWTray.exe (PID: 1952) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: Azureus.exe (PID: 1036) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: firefox.exe (PID: 2220) Address: 0x10000000 Address: 32768

Object: Hidden Module [Name: hjgruiorgdnddt.dll]
Process: RootRepeal.exe (PID: 648) Address: 0x10000000 Address: 32768

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8aad10e8 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x8a6d0520 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_CREATE]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_CLOSE]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_READ]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_WRITE]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_CLEANUP]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: Udfs؅ఉ瑎捦܉@考, IRP_MJ_PNP]
Process: System Address: 0x8a82b0e8 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CREATE]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_CLOSE]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_POWER]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: dtscsi, IRP_MJ_PNP]
Process: System Address: 0x8a72ceb0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a9376d0 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x8aad2398 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x89bd4c30 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8aad2808 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8aad2a40 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8a170698 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8a170698 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a170698 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a170698 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8a170698 Address: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8a170698 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0ceeb0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8a0cc6e0 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_CREATE]
Process: System Address: 0x8a1600e8 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8a1600e8 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_CLOSE]
Process: System Address: 0x8a1600e8 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_READ]
Process: System Address: 0x8a1600e8 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_WRITE]
Process: System Address: 0x8a1600e8 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1600e8 Address: 15

Object: Hidden Code [Driver: NpfsЅఆ剒敬, IRP_MJ_SET_INFORMATION]
PHidden Services
-------------------
Service Name: hjgruiniybfydl
Image PathC:\windows\system32\drivers\hjgruivdotbwkm.sys

==EOF==

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:01:40 AM

Posted 16 July 2009 - 08:30 PM

One thing you should know:

You have been infected by a nasty rootkit {TDSS Variant}. This rootkit may steal personal information from your computer and can monitor traffic as you surf. If you do on-line banking. shopping, or other financial transactions, you need to contact your bank to monitor your account -and- change all passwords immediately. I also recommend changing the password on your router - if applicable. Do to the nature of rootkits, some members elect to reformat their computer, verses trying to clean it. If you wish to do that, please let me know.

We continue:

1st - update Malwarebytes. Do not run it yet...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:
  • C:\WINDOWS\system32\hjgruiidyuyrul.dll
  • C:\WINDOWS\system32\hjgruiorgdnddt.dll
  • C:\WINDOWS\system32\hjgruipohjysay.dat
  • C:\WINDOWS\system32\hjgruiqjbivkba.dat
  • C:\WINDOWS\Temp\hjgruidxwhevidof.tmp
  • C:\WINDOWS\Temp\hjgruinalvwjsnqo.tmp
  • C:\WINDOWS\system32\drivers\hjgruivdotbwkm.sys
Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Rerun Malwarebytes in full mode. - Let me know if you need any help with these steps.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users