Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32.TDSS.rtk, New Variant.


  • This topic is locked This topic is locked
6 replies to this topic

#1 BigJohnny

BigJohnny

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 25 August 2009 - 06:35 PM

As advised, I've created the logs. Before finding this site, I had done some stuff to try and remove this nasty virus, including disabling it in my device manager, deleting the registry keys (had to give myself permission) even tried reinstalling windows on a new drive, HOWEVER, I had my other 4 hard drives plugged in, and it must have existed on one of those, because I put a new unpartitioned drive in the computer, and was going to use MiniPE to prepare it....before MiniPE loaded, I was given a warning that the boot sector was about to be modified, thinking that this was due to MiniPE I allowed it. MiniPE will not start, windows will not start, and trying to install windows on the new (now partitioned) drive results it in crashing when it gets to "Installing Devices".

Anyway that's a little background, Here are the logs.

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by DarkSoul at 18:40:15.64 on 25/08/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2815.2439 [GMT -4:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
FW: Bitdefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}

============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSsystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsDarkSoulDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.teamspeakdisplay.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_05binssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.15642swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:program filesbitdefenderbitdefender 2008IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
TB: {76222034-5CFA-4A43-AADE-1E5DACB71469} - No File
uRun: [NVIDIA nTune] "c:system toolsntunentunenTuneCmd.exe" clear
uRun: [msnmsgr] "c:program fileswindows livemessengermsnmsgr.exe" /background
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [MSConfig] c:windowspchealthhelpctrbinariesMSConfig.exe /auto
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:windowssystem32NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [EnvyHFCPL] c:program filesviaviaudioienvyadeckEnMixCPL.exe 1
mRunOnce: [WIAWizardMenu] RUNDLL32.EXE c:windowssystem32sti_ci.dll,WiaCreateWizardMenu
mRunOnce: [Malwarebytes' Anti-Malware] c:program filesmalwarebytes' anti-malwarembamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
IE: E&xport to Microsoft Excel - c:progra~1micros~4office12EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_05binssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~4office11REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201231688727
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://plugin.driveragent.com/files/driveragent.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1darksoulapplic~1mozillafirefoxprofiles0jnxxv1w.default
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://ducktuf.net/forum/
FF - plugin: c:documents and settingsdarksoulapplication datamozillafirefoxprofiles0jnxxv1w.defaultextensionsfirefox@tvunetworks.compluginsnpTVUAx.dll
FF - plugin: c:program filesk-lite codec packquicktimepluginsnpqtplugin.dll
FF - plugin: c:program filesk-lite codec packquicktimepluginsnpqtplugin2.dll
FF - plugin: c:program filesk-lite codec packquicktimepluginsnpqtplugin3.dll
FF - plugin: c:program filesk-lite codec packquicktimepluginsnpqtplugin4.dll
FF - plugin: c:program filesk-lite codec packquicktimepluginsnpqtplugin5.dll
FF - plugin: c:program filesk-lite codec packquicktimepluginsnpqtplugin6.dll
FF - plugin: c:program filesk-lite codec packrealbrowserpluginsnppl3260.dll
FF - plugin: c:program filesk-lite codec packrealbrowserpluginsnprpjplug.dll

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefsall.js - pref("media.enforce_same_site_origin", false);
c:program filesmozilla firefoxgreprefsall.js - pref("media.cache_size", 51200);
c:program filesmozilla firefoxgreprefsall.js - pref("media.ogg.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.wave.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("media.autoplay.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("browser.urlbar.autocomplete.enabled", true);
c:program filesmozilla firefoxgreprefsall.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:program filesmozilla firefoxgreprefsall.js - pref("dom.storage.default_quota", 5120);
c:program filesmozilla firefoxgreprefsall.js - pref("content.sink.event_probe_rate", 3);
c:program filesmozilla firefoxgreprefsall.js - pref("network.http.prompt-temp-redirect", true);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.dpi", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("layout.css.devPixelsPerPx", -1);
c:program filesmozilla firefoxgreprefsall.js - pref("gestures.enable_single_finger_input", true);
c:program filesmozilla firefoxgreprefsall.js - pref("dom.max_chrome_script_run_time", 0);
c:program filesmozilla firefoxgreprefsall.js - pref("network.tcp.sendbuffer", 131072);
c:program filesmozilla firefoxgreprefsall.js - pref("geo.enabled", true);
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("extensions.blocklist.level", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.restrict.typed", "~");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.urlbar.default.behavior", 0);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.history", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.formdata", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.passwords", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.downloads", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cookies", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.cache", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.sessions", true);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.offlineApps", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.cpd.siteSettings", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.ssl_override_behavior", 2);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.autostart", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:program filesmozilla firefoxdefaultspreffirefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 Pnp680;SiI 680 ATA Controller;c:windowssystem32driversPnP680.sys [2008-1-20 71720]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:windowssystem32driversbdfndisf.sys [2008-6-2 86792]
S1 AMD64CA;AMD64CA;c:windowssystem32driversAMD64CAx86.sys [2008-4-5 2112]
S1 BIOS;BIOS;c:windowssystem32driversBIOS.sys [2008-3-27 13696]
S2 a2free;a-squared Free Service;"d:temprarsfx0a2service.exe" --> d:temprarsfx0a2service.exe [?]
S2 SocketLock;Raw Socket Lock Driver;c:windowssystem32socketlock.sys [2008-1-24 3712]
S3 BeepApi;Kolor Kit1;C:beepapi.sys [2008-8-2 1504]
S3 BTCFilterService;USB Networking Driver Filter Service;c:windowssystem32driversmotfilt.sys [2009-1-25 6016]
S3 cpuz129;cpuz129;??d:tempcpuz_x32.sys --> d:tempcpuz_x32.sys [?]
S3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:windowssystem32driversEnvy24HF.sys [2008-1-24 627840]
S3 getPlus® Helper;getPlus® Helper;c:program filesnosbingetplus_helpersvc.exe --> c:program filesnosbingetPlus_HelperSvc.exe [?]
S3 motccgp;Motorola USB Composite Device Driver;c:windowssystem32driversmotccgp.sys [2009-1-25 18688]
S3 motccgpfl;MotCcgpFlService;c:windowssystem32driversmotccgpfl.sys [2009-1-25 8320]
S3 MotDev;Motorola Inc. USB Device;c:windowssystem32driversmotodrv.sys [2009-1-25 42112]
S3 Motousbnet;Motorola USB Networking Driver Service;c:windowssystem32driversMotousbnet.sys [2009-1-25 23296]
S3 VtcDrv;Philips SA60xx Recovery Device;c:windowssystem32driversvtcdrv.sys [2008-10-2 18560]

=============== Created Last 30 ================

2009-08-24 22:57 <DIR> --d----- c:program filesa-squared Free
2009-08-24 20:37 <DIR> --d----- c:docume~1darksoulapplic~1Malwarebytes
2009-08-24 20:37 38,160 a------- c:windowssystem32driversmbamswissarmy.sys
2009-08-24 20:37 19,096 a------- c:windowssystem32driversmbam.sys
2009-08-24 20:37 <DIR> --d----- c:program filesMalwarebytes' Anti-Malware
2009-08-24 20:37 <DIR> --d----- c:docume~1alluse~1applic~1Malwarebytes
2009-08-24 20:29 <DIR> --dshr-- C:cmdcons
2009-08-24 20:29 <DIR> --d----- c:windowssetup.pss
2009-08-24 20:28 <DIR> --d----- c:windowssetupupd
2009-08-24 19:48 <DIR> --d----- c:windowsLastGood.Tmp
2009-08-22 03:03 <DIR> --d----- c:windowsSxsCaPendDel
2009-08-18 19:47 71,168 a------- c:windowssystem32driverslbvornfyabuxtptr.sys
2009-08-13 03:00 <DIR> --d----- c:windowsServicePackFiles
2009-08-05 13:18 <DIR> --d----- c:docume~1alluse~1applic~1Mandragora
2009-08-05 13:18 <DIR> --d----- c:program filesMandragora

==================== Find3M ====================

2009-08-24 19:46 81,984 a------- c:windowssystem32bdod.bin
2009-08-05 05:11 204,800 a------- c:windowssystem32mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:windowssystem32atl.dll
2009-07-13 23:43 286,208 a------- c:windowssystem32wmpdxm.dll
2009-06-26 12:18 659,456 a------- c:windowssystem32wininet.dll
2009-06-26 12:18 81,920 a------- c:windowssystem32ieencode.dll
2009-06-25 14:36 661,504 a------- c:windowssystem32mqqm.dll
2009-06-25 14:36 517,120 a------- c:windowssystem32mqsnap.dll
2009-06-25 14:36 471,552 a------- c:windowssystem32mqutil.dll
2009-06-25 14:36 225,280 a------- c:windowssystem32mqoa.dll
2009-06-25 14:36 186,880 a------- c:windowssystem32mqtrig.dll
2009-06-25 14:36 177,152 a------- c:windowssystem32mqrt.dll
2009-06-25 14:36 138,240 a------- c:windowssystem32mqad.dll
2009-06-25 14:36 123,392 a------- c:windowssystem32mqrtdep.dll
2009-06-25 14:36 95,744 a------- c:windowssystem32mqsec.dll
2009-06-25 14:36 48,640 a------- c:windowssystem32mqupgrd.dll
2009-06-25 14:36 47,104 a------- c:windowssystem32mqdscli.dll
2009-06-25 14:36 16,896 a------- c:windowssystem32mqise.dll
2009-06-22 07:49 117,248 a------- c:windowssystem32mqtgsvc.exe
2009-06-22 07:49 19,968 a------- c:windowssystem32mqbkup.exe
2009-06-22 07:49 4,608 a------- c:windowssystem32mqsvc.exe
2009-06-16 10:55 119,808 a------- c:windowssystem32t2embed.dll
2009-06-16 10:55 82,432 a------- c:windowssystem32fontsub.dll
2009-06-12 07:50 80,896 a------- c:windowssystem32tlntsess.exe
2009-06-12 07:50 76,288 a------- c:windowssystem32telnet.exe
2009-06-10 10:21 84,992 a------- c:windowssystem32avifil32.dll
2009-06-10 02:32 132,096 a------- c:windowssystem32wkssvc.dll
2009-06-05 03:42 655,872 a------- c:windowssystem32mstscax.dll
2009-06-03 15:27 1,290,752 a------- c:windowssystem32quartz.dll
2009-03-22 18:46 87,608 a------- c:docume~1darksoulapplic~1inst.exe
2009-03-22 18:46 47,360 a------- c:docume~1darksoulapplic~1pcouffin.sys
2008-03-28 19:15 92,064 a------- c:documents and settingsdarksoulmqdmmdm.sys
2008-03-28 19:15 79,328 a------- c:documents and settingsdarksoulmqdmserd.sys
2008-03-28 19:15 66,656 a------- c:documents and settingsdarksoulmqdmbus.sys
2008-03-28 19:15 25,600 a------- c:documents and settingsdarksoulusbsermptxp.sys
2008-03-28 19:15 22,768 a------- c:documents and settingsdarksoulusbsermpt.sys
2008-03-28 19:15 9,232 a------- c:documents and settingsdarksoulmqdmmdfl.sys
2008-03-28 19:15 6,208 a------- c:documents and settingsdarksoulmqdmcmnt.sys
2008-03-28 19:15 5,936 a------- c:documents and settingsdarksoulmqdmwhnt.sys
2008-03-28 19:15 4,048 a------- c:documents and settingsdarksoulmqdmcr.sys
2008-03-26 22:20 8 a------- c:documents and settingsdarksoulRecYEAR.dat
2008-03-26 22:20 8 a------- c:documents and settingsdarksoulRecWEEK.dat
2008-03-26 22:20 8 a------- c:documents and settingsdarksoulRecONCE.dat
2008-03-26 22:20 8 a------- c:documents and settingsdarksoulRecMONTH.dat
2008-03-26 22:20 8 a------- c:documents and settingsdarksoulRecDAY.dat
2008-03-17 22:56 107 a---h--- c:program filesDesktop.ini
2008-01-29 22:57 22,328 a------- c:docume~1darksoulapplic~1PnkBstrK.sys

============= FINISH: 18:40:54.09 ===============



RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 19:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ay2hie6h.SYS
Image Path: C:WINDOWSSystem32Driversay2hie6h.SYS
Address: 0xF5F6D000 Size: 417792 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF69CF000 Size: 1664 File Visible: No Signed: -
Status: -

Name: PCI_NTPNP9016
Image Path: DriverPCI_NTPNP9016
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xF6596000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF690C000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:windowsntbtlog.txt
Status: Size mismatch (API: 1971902, Raw: 1971778)

Path: c:documents and settingsdarksoullocal settingsapplication datamozillafirefoxprofiles0jnxxv1w.defaultcache_cache_001_
Status: Size mismatch (API: 167588, Raw: 164771)

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "sptd.sys" at address 0xf62fc0d0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf6301fb2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf6302340

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf62fc0b0

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf6302418

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf6302298

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xf63024aa

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0xfc2c91e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0xfb93f1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLOSE]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_READ]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_WRITE]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_EA]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_EA]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CLEANUP]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_SECURITY]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_POWER]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_SET_QUOTA]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: nvata, IRP_MJ_PNP]
Process: System Address: 0xfc33a1e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0xfc1651e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0xfc2cb1e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0xfc1661e8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0xfc170790 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_CREATE]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_CLOSE]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_POWER]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: RasP, IRP_MJ_PNP]
Process: System Address: 0xfc1361e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0xfc33b1e8 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_CREATE]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_CLOSE]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_READ]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_WRITE]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_POWER]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: USBSTOR慴ȅ఍敋ꁹ, IRP_MJ_PNP]
Process: System Address: 0xfb951790 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0xfc2cc1e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0xfb9621e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0xfb9621e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfb9621e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfb9621e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0xfb9621e8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0xfb9621e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_CREATE]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_CLOSE]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_POWER]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: Pnp680, IRP_MJ_PNP]
Process: System Address: 0xfc2ca1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0xfb95f1e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_CREATE]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_CLOSE]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_READ]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_SET_INFORMATION]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_SHUTDOWN]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_CLEANUP]
Process: System Address: 0xfb8f01e8 Size: 121

Object: Hidden Code [Driver: , IRP_MJ_PNP]
Process: System Address: 0xfb8f01e8 Size: 121

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:WINDOWSsystem32driversTDSSqyvo.sys

==EOF==


I'm beginning to think this has gotten into my BIOS or something.

On my new HD, I popped in a win98 boot disk, and ran fdisk, dropped the partition, and left it at that.
There were no other drives connected to my computer at this time, it was simply one new HD and a windows 98 boot cd, that had not previously been used.

upon deleting the partition I had created earlier, I immediately recieved a warning saying that the boot sector is about to be modified. This time I did not allow it.

So at this point the new HD should have no partition, and henceforth, no data on it, Including the previously half finished windows install that quit every time it tried to install devices.

I reboot the computer, and instead of being asked to boot from CD like it always does, it boot directly to the unfinished windows install, and continued it, crashing once again after getting halfway through "Installing Devices" (it ALWAYS happens just after my mouse and keyboard flash/flicker while being loaded)

so on a drive with no apparent partitions, the previous windows install was able to continue.

explain that?! I hadn't re-created the partitions at this point, so this shouldn't have happened.

Also of note is the fact that with ALL of my HD's disconnected, attempting to run MiniPE again results in the same thing, it gets to its loading/splash screen and then quits.

so how bad is this?? am I going to ever be able to get windows installed and running again??? will the 720GB of stuff I have on my other hard drives be able to be saved? Those drives are storage only and have no active windows installs on them.... no installs period.

just for the record, I have made no changes to the drive I have scanned and posted a log for here. I'm currnetly using that drive in safe mode as it's the only way I can get windows to run.

Merged posts. ~ OB

Edited by Orange Blossom, 04 September 2009 - 12:49 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:03 PM

Posted 08 September 2009 - 11:50 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 BigJohnny

BigJohnny
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 08 September 2009 - 04:25 PM

Well, Ive done that stuff, The log are above and the computer hasn't changed since then because my motherboard died and I need to get a replacement before I can even get back to removing this virus.

So the logs you see there, are in fact current, and I'm unable to provide others as those hard drives are not installed in the computer I'm currently using.

I would like to know which steps to take to resolve this though, so I can do so when I do purchase a new motherboard (good chance I can pick one up tomorrow)

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:03 PM

Posted 09 September 2009 - 01:19 PM

Hi,

When you will bring together your harddrives and your new motherboard, it can be that you have to reformat your harddrives and reinstalling windows, because the drivers which are installed in your windows will not match with your new motherboard.

If so, the fastest way to have a clean and fine system is reformatting every harddisk and reinstalling windows. If you will buy the same motherboard (so the drivers installed will match), please post back with a short note for me so we can start helping you with your malware-problems :thumbup2:.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 BigJohnny

BigJohnny
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:10:03 AM

Posted 09 September 2009 - 05:23 PM

I purchased a new motherboard on ebay, it should be here in about 8 days.

I realize I will have to format the drive, what I'm more concerned about is weather or not this virus has infected my other 4 hard drives. Those 4 drives cannot be formatted, they contain very important data that is NOT operating systems. They are all slave drives.

I will have to get the computer running again first.

I know the virus is there, but malwarebytes doesn't detect it anymore, anywhere, so how can I be certain if it exists on my other 4 slave drives?? I don't want to reinfect a new computer.

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:03 PM

Posted 10 September 2009 - 12:18 PM

Hi,

we can scan the other 4 harddrives when the system is running, no problem. Or you can plug in those drives into an other system as slave an scan it with an onlinescan.

When your system is running again, please open a new thread and place a link to this one here.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:04:03 PM

Posted 13 September 2009 - 11:16 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users