Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM , Dr. Web, Hijack this wont run - infected


  • Please log in to reply
25 replies to this topic

#1 robwats83

robwats83

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 24 August 2009 - 06:24 PM

Hello all. First time user.

Windows XP Pro, SP3.

Have gotten an infection much like the other 10,000 people on here. Fake virus scanners pop-up all the time, trying to get me to buy malicious software, etc.

I cannot get Malwarebyes or Hijack this to run. Also tried Dr. Web ( saw it on MBAM forum) and the .exe will run, but a scan never happens.

MBAM will install fine on this machine, but will not run/update at the end of the install, in safe mode or otherwise.

Any other information you need to diagnose?

Thanks for any and all help you can offer.

BC AdBot (Login to Remove)

 


#2 Straythe

Straythe

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:47 AM

Posted 24 August 2009 - 11:33 PM

Hello, please note I am NOT a staff member here, just another member who's read a lot of threads.

Sometimes MBAM will run if you rename it to something else - zztoy.exe is a favorite - so the infection can't recognize and stall it. Try changing the name of "mbam.exe" in your installation folder; or download the very latest version (it's updated every few days) and "Save as..." something else. It might also help to change the extension of it to .bat or .scr .

My suggestion is based on posts such as this one:

http://www.bleepingcomputer.com/forums/ind...t&p=1395147

Good luck - Straythe
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

#3 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:47 AM

Posted 25 August 2009 - 08:40 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.



Please try what Straythe has suggested. And then if that doesnt work, try this:


let's try Fatdcuk's fix.

Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Quick Scan

At the end of the scan click Remove Selected and then reboot.


Post the scan log. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Computer Pro

#4 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 28 August 2009 - 10:12 PM

Hello again guys, thanks for taking the time to help me out.

I can get MBAM to install fine, but at the end of the install, where I tell it to Run mbam and Update mbam, it just quits.

I tried renaming the exe after the install, but it still won't open.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 AM

Posted 28 August 2009 - 10:21 PM

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Chewy

No. Try not. Do... or do not. There is no try.

#6 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 28 August 2009 - 11:41 PM

Okay.

I ran this program, took quite a while. It found two files:


Sophos Anti-Rootkit Version 1.5.0 © 2009 Sophos Plc
Started logging on 8/28/2009 at 23:32:12 PM
User "Family" on computer "WATSONDESKTOP"
Windows version 5.1 SP 3.0 Service Pack 3 build 2600 SM=0x100 PT=0x1 Win32
Info: Starting process scan.
Info: Starting registry scan.
Info: Starting disk scan of C: (NTFS).
Hidden: file C:\WINDOWS\system32\config\SECURITY.tmp.LOG
Hidden: file C:\WINDOWS\system32\drivers\sptd.sys
Stopped logging on 8/29/2009 at 0:35:08 AM


But the program did not recommend cleaning, so I did not restart and rescan, as directed by your reply.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 AM

Posted 28 August 2009 - 11:49 PM

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Download and run process explorer

Under file/save as/create a log to post here
Chewy

No. Try not. Do... or do not. There is no try.

#8 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 28 August 2009 - 11:54 PM

Alright.

Process PID CPU Description Company Name
System Idle Process 0 97.73
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 412 Windows NT Session Manager Microsoft Corporation
csrss.exe 620 Client Server Runtime Process Microsoft Corporation
winlogon.exe 652 Windows NT Logon Application Microsoft Corporation
services.exe 700 0.76 Services and Controller app Microsoft Corporation
svchost.exe 920 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 956 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1036 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1072 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 1232 LexBce Service Lexmark International, Inc.
LEXPPS.EXE 1284 LEXPPS.EXE Lexmark International, Inc.
spoolsv.exe 1252 Spooler SubSystem App Microsoft Corporation
svchost.exe 1452 Generic Host Process for Win32 Services Microsoft Corporation
imapi.exe 1700 Image Mastering API Microsoft Corporation
svchost.exe 1852 Generic Host Process for Win32 Services Microsoft Corporation
tlntsvr.exe 1916 Telnet Microsoft Corporation
vssvc.exe 2012 Microsoft® Volume Shadow Copy Service Microsoft Corporation
svchost.exe 1360 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 2964 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 712 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1664 0.76 Windows Explorer Microsoft Corporation
ctfmon.exe 124 CTF Loader Microsoft Corporation
DLG.exe 304 Digital Line Detection BVRP Software
rundll32.exe 1720 Run a DLL as an App Microsoft Corporation
firefox.exe 8048 Firefox Mozilla Corporation
procexp.exe 3464 0.76 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
MOM.exe 540 Catalyst Control Center: Monitoring program Advanced Micro Devices Inc.
CCC.exe 576 Catalyst Control Centre: Host application ATI Technologies Inc.

#9 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 31 August 2009 - 04:30 PM

bump

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 AM

Posted 31 August 2009 - 06:41 PM

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to renable you anti-virus and and other security programs before connecting to the Internet.
-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.
Chewy

No. Try not. Do... or do not. There is no try.

#11 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 01 September 2009 - 05:37 PM

SDFix: Version 1.240
Run by Administrator on Tue 09/01/2009 at 06:13 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 18:26:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:a9,0a,fb,7f,4c,0b,94,db,e8,09,15,94,19,2f,3e,2b,1a,5f,7c,99,9a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f7,2e,f2,d2,6d,75,ac,78,03,1a,02,07,69,e4,d8,79,e9,..
"khjeh"=hex:ae,af,c0,16,26,d9,47,88,e1,43,71,07,55,3f,32,f9,77,b4,72,7c,d2,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,8a,a5,25,b9,a1,b6,12,32,6c,6f,86,ca,3e,37,ab,2a,00,91,70,6a,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:a9,0a,fb,7f,4c,0b,94,db,e8,09,15,94,19,2f,3e,2b,1a,5f,7c,99,9a,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f7,2e,f2,d2,6d,75,ac,78,03,1a,02,07,69,e4,d8,79,e9,..
"khjeh"=hex:ae,af,c0,16,26,d9,47,88,e1,43,71,07,55,3f,32,f9,77,b4,72,7c,d2,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,8a,a5,25,b9,a1,b6,12,32,6c,6f,86,ca,3e,37,ab,2a,00,91,70,6a,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:e1,4c,8b,26,2a,01,53,a5,49,9c,a7,46,a0,df,b2,39,bf,22,79,1e,8b,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f7,2e,f2,d2,6d,75,ac,78,03,1a,02,07,69,e4,d8,79,e9,..
"khjeh"=hex:ae,af,c0,16,26,d9,47,88,e1,43,71,07,55,3f,32,f9,77,b4,72,7c,d2,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:51,e5,7a,60,36,18,c7,ee,fe,90,51,ba,88,eb,09,16,aa,2a,71,ba,7f,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"p0"="C:\Program Files\DAEMON Tools Lite\"
"h0"=dword:00000000
"khjeh"=hex:a9,0a,fb,7f,4c,0b,94,db,e8,09,15,94,19,2f,3e,2b,1a,5f,7c,99,9a,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,f7,2e,f2,d2,6d,75,ac,78,03,1a,02,07,69,e4,d8,79,e9,..
"khjeh"=hex:ae,af,c0,16,26,d9,47,88,e1,43,71,07,55,3f,32,f9,77,b4,72,7c,d2,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c1,8a,a5,25,b9,a1,b6,12,32,6c,6f,86,ca,3e,37,ab,2a,00,91,70,6a,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"="C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe:*:Enabled:Sid Meier's Civilization 4"
"C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe"="C:\\Program Files\\Infogrames Interactive\\Scrabble Complete\\ScrabbleComplete.exe:*:Enabled:Scrabble Complete"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Roxio\\PhotoSuite\\RoxioPhotoSuite.exe"="C:\\Program Files\\Roxio\\PhotoSuite\\RoxioPhotoSuite.exe:*:Enabled:RoxioPhotoSuite"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Synergy\\synergys.exe"="C:\\Program Files\\Synergy\\synergys.exe:*:Enabled:synergys"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\AIM6\\anotify.exe"="C:\\Program Files\\AIM6\\anotify.exe:*:Enabled:anotify"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\logonui.exe"="C:\\WINDOWS\\system32\\logonui.exe:*:Enabled:logonui"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Documents and Settings\\Family\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"="C:\\Documents and Settings\\Family\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll:*:Enabled:Google Talk Plugin"
"C:\\Documents and Settings\\Family\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"="C:\\Documents and Settings\\Family\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe:*:Enabled:Google Talk Plugin"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :



Files with Hidden Attributes :

Tue 28 Jul 2009 1,548,120 A.SHR --- "C:\Program Files\File Scanner Library (Spybot - Search & Destroy)\advcheck.dll"
Mon 26 Jan 2009 1,740,632 A.SHR --- "C:\Program Files\Spybot - S&D\SDUpdate.exe"
Mon 26 Jan 2009 5,365,592 A.SHR --- "C:\Program Files\Spybot - S&D\SpybotSD.exe"
Mon 26 Jan 2009 2,144,088 A.SHR --- "C:\Program Files\Spybot - S&D\TeaTimer.exe"
Thu 5 Mar 2009 2,260,480 A.SHR --- "C:\Program Files\TeaTimer (Spybot - Search & Destroy)\TeaTimer.exe"
Wed 4 Aug 2004 69,584 A..H. --- "C:\WINDOWS\system\AVICAP.DLL"
Wed 4 Aug 2004 109,456 A..H. --- "C:\WINDOWS\system\AVIFILE.DLL"
Wed 4 Aug 2004 32,816 A..H. --- "C:\WINDOWS\system\COMMDLG.DLL"
Wed 4 Aug 2004 9,936 A..H. --- "C:\WINDOWS\system\LZEXPAND.DLL"
Wed 4 Aug 2004 68,768 A..H. --- "C:\WINDOWS\system\MMSYSTEM.DLL"
Wed 4 Aug 2004 126,912 A..H. --- "C:\WINDOWS\system\MSVIDEO.DLL"
Wed 4 Aug 2004 82,944 A..H. --- "C:\WINDOWS\system\OLECLI.DLL"
Wed 4 Aug 2004 24,064 A..H. --- "C:\WINDOWS\system\OLESVR.DLL"
Wed 4 Aug 2004 5,120 A..H. --- "C:\WINDOWS\system\SHELL.DLL"
Wed 4 Aug 2004 19,200 A..H. --- "C:\WINDOWS\system\TAPI.DLL"
Wed 4 Aug 2004 9,008 A..H. --- "C:\WINDOWS\system\VER.DLL"
Sat 22 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\1.tmp"
Thu 20 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\13F.tmp"
Wed 26 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\153.tmp"
Tue 18 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\228.tmp"
Tue 11 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\9B.tmp"
Sat 29 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\B0.tmp"
Thu 20 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\B5.tmp"
Mon 17 Aug 2009 518,144 A.SH. --- "C:\WINDOWS\system32\F5.tmp"
Sat 21 Jul 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 21 Jan 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Sat 22 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1.tmp"
Fri 21 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\10.tmp"
Fri 21 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\11.tmp"
Fri 21 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\12.tmp"
Sat 15 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\13.tmp"
Sat 22 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\14.tmp"
Sat 22 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\15.tmp"
Sat 22 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\16.tmp"
Wed 26 Aug 2009 40,448 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\16B.tmp"
Fri 14 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\17.tmp"
Sat 22 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\18.tmp"
Sat 22 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\19.tmp"
Sat 22 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1A.tmp"
Sat 22 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1B.tmp"
Sat 22 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1C.tmp"
Sun 23 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1D.tmp"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1E.tmp"
Sun 23 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\1F.tmp"
Mon 17 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2.tmp"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\20.tmp"
Sun 23 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\21.tmp"
Sun 23 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\22.tmp"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\23.tmp"
Mon 24 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\24.tmp"
Mon 24 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\25.tmp"
Mon 24 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\26.tmp"
Mon 24 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\27.tmp"
Mon 24 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\28.tmp"
Tue 25 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\29.tmp"
Tue 25 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2A.tmp"
Tue 25 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2B.tmp"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2C.tmp"
Tue 25 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2D.tmp"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2E.tmp"
Wed 26 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\2F.tmp"
Sat 22 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3.tmp"
Thu 27 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\30.tmp"
Thu 27 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\31.tmp"
Thu 27 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\32.tmp"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\33.tmp"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\34.tmp"
Thu 27 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\35.tmp"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\36.tmp"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\37.tmp"
Fri 28 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\38.tmp"
Fri 28 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\39.tmp"
Fri 28 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3A.tmp"
Fri 28 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3B.tmp"
Fri 28 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3C.tmp"
Sun 30 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3D.tmp"
Sun 30 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3E.tmp"
Sun 30 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\3F.tmp"
Mon 17 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\4.tmp"
Sun 30 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\40.tmp"
Sun 30 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\41.tmp"
Sun 30 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\42.tmp"
Mon 31 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\43.tmp"
Mon 31 Aug 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\44.tmp"
Mon 31 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\45.tmp"
Mon 31 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\46.tmp"
Tue 1 Sep 2009 40,960 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\47.tmp"
Tue 1 Sep 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\4A.tmp"
Fri 14 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\5.tmp"
Thu 13 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\55.tmp"
Fri 14 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\6.tmp"
Sat 15 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\7.tmp"
Fri 14 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\8.tmp"
Sat 15 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\9.tmp"
Mon 17 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\A.tmp"
Wed 19 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\B.tmp"
Thu 13 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\C.tmp"
Wed 19 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\D.tmp"
Fri 21 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\E.tmp"
Sat 29 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\E9.tmp"
Fri 21 Aug 2009 6,144 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\F.tmp"
Sat 29 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\F9.tmp"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F146A61.exe"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F16E6F9.exe"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F14B68D.exe"
Fri 28 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F10E5591.exe"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F22DAF9.exe"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F3507FD.exe"
Mon 31 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F3F2911.exe"
Sun 30 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F4F5BFA.exe"
Wed 26 Aug 2009 40,448 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F54AF67B.exe"
Wed 26 Aug 2009 40,448 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F59B6BC.exe"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F537E15.exe"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F80B47C.exe"
Fri 28 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F8E1EB0.exe"
Sat 22 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FA1B76.exe"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FA01E3.exe"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FAABFCA.exe"
Thu 27 Aug 2009 39,936 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FAFDF7.exe"
Sat 22 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FB3061.exe"
Mon 24 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FBE6E0.exe"
Mon 31 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FBBA80.exe"
Tue 1 Sep 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FBED96.exe"
Sun 30 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FC69DF2.exe"
Tue 25 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FD4E96E.exe"
Sun 23 Aug 2009 38,400 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FE1586A.exe"
Sun 30 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00FF9CF2.exe"
Sat 29 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F11987D6.exe"
Sun 30 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F1D1CB2.exe"
Fri 28 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F11CDCC.exe"
Sat 29 Aug 2009 37,376 A.SH. --- "C:\Documents and Settings\Family\Local Settings\Temp\_A00F127B6F1.exe"
Mon 2 Oct 2006 50,280 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 21 Jul 2007 4,348 ...H. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv1key.bak"
Sat 21 Jul 2007 20 A..H. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv1lic.bak"
Sat 21 Jul 2007 400 A.SH. --- "C:\Documents and Settings\Family\My Documents\My Music\License Backup\drmv2key.bak"
Fri 2 Mar 2007 21,504 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL0003.tmp"
Fri 2 Mar 2007 20,992 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL0030.tmp"
Mon 5 Mar 2007 22,016 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL0259.tmp"
Mon 5 Mar 2007 22,016 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL1499.tmp"
Mon 5 Mar 2007 21,504 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL2399.tmp"
Fri 2 Mar 2007 20,480 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL3352.tmp"
Mon 5 Mar 2007 20,992 A..H. --- "C:\Documents and Settings\Family\Desktop\Victorias\Freshman Year Work\USB\~WRL4077.tmp"
Mon 17 Aug 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch1\lock.tmp"
Mon 17 Aug 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch2\lock.tmp"
Mon 17 Aug 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch3\lock.tmp"
Mon 17 Aug 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch4\lock.tmp"
Mon 17 Aug 2009 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\Microsoft\OC\Channels\ch5\lock.tmp"
Mon 4 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Mon 4 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Mon 4 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Mon 4 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Mon 4 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Mon 4 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"

Finished!

#12 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 01 September 2009 - 05:47 PM

Just out of curiosity, could I take another computer that will run MBAM, connect it to this network, and run MBAM on this computer through the network? If so, how would I go about it?

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:47 AM

Posted 01 September 2009 - 07:26 PM

That might infect the clean computer and crash the infected one.

Please download TFC by Old Timer and save it to your desktop.
http://oldtimer.geekstogo.com/TFC.exe
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check the Drivers and Stealth ObjectsPosted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Chewy

No. Try not. Do... or do not. There is no try.

#14 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 02 September 2009 - 04:15 PM

Here Ya Go:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/02 17:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAD902000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A39000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8376
Image Path: \Driver\PCI_PNP8376
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB329000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spzj.sys
Image Path: spzj.sys
Address: 0xF7286000 Size: 1048576 File Visible: No Signed: -
Status: -

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8aad91f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_READ]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_WRITE]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_CLEANUP]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Udfsࠅః瑎て, IRP_MJ_PNP]
Process: System Address: 0x89d1a1f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_CREATE]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_CLOSE]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_POWER]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Hard, IRP_MJ_PNP]
Process: System Address: 0x8a8141f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8a9081f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a9561f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8a8861f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8aadb1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8ab4e1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89cf31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89cf31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89cf31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89cf31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89cf31f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89cf31f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x89d151f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_CREATE]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_CLOSE]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_READ]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_CLEANUP]
Process: System Address: 0x89ce91f8 Size: 121

Object: Hidden Code [Driver: CdfsЅఎ桇扡⌨蓘蓘, IRP_MJ_PNP]
Process: System Address: 0x89ce91f8 Size: 121

==EOF==

#15 robwats83

robwats83
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:01:47 AM

Posted 05 September 2009 - 01:42 AM

bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users