Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I was told i had a Deep Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 thalonewolf

thalonewolf

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Los Angeles
  • Local time:12:04 PM

Posted 26 August 2009 - 09:49 PM

I was redirected to this section of the fourm and heres the original post. http://www.bleepingcomputer.com/forums/top...ml#entry1400786
Any help would be greatly appreciated!


and also here are the DDS and rootrepeal logs.



DDS (Ver_09-07-30.01) - NTFSx86
Run by OhEE at 19:24:23.70 on Wed 08/26/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1788 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\OhEE\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\HostsMan\hm.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\OhEE\My Documents\My Pictures\emus\xpadder_gamepad_profiler\Xpadder.exe
C:\Documents and Settings\OhEE\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\OhEE\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\OhEE\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\OhEE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Google Update] "c:\documents and settings\ohee\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [HostsMan] "c:\program files\hostsman\hm.exe" -s
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ohee\applic~1\mozilla\firefox\profiles\d8o2fdi9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\ohee\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-connections-per-server - 8

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-28 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-6 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-6 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-6 108552]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-5-6 150544]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-6 353672]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-5-6 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-6 297752]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-13 604488]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-5-6 24652]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2009-6-18 33792]
R3 st3bus28;st3bus28;c:\windows\system32\drivers\st3bus28.sys [2002-12-28 8416]
R3 st3mp28;st3mp28;c:\windows\system32\drivers\st3mp28.sys [2002-12-28 95328]
S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-6-15 12672]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\mediacoder\sysinfo.sys --> c:\program files\mediacoder\SysInfo.sys [?]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xpadfl02.sys --> c:\windows\system32\drivers\xpadfl02.sys [?]

=============== Created Last 30 ================

2009-08-19 11:43 15,360 a--sh--- c:\windows\system32\Thumbs.db
2009-08-19 02:47 1,110,399 a------- c:\windows\system32\UACqpkrdinmyk.db
2009-08-19 02:36 784,874 a------- c:\windows\system32\xa.tmp
2009-08-15 14:20 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-15 14:10 -cd----- C:\9f0f50a32aadb31db9bbd81390bc437b
2009-08-15 14:10 --d----- c:\windows\SxsCaPendDel
2009-08-15 01:47 1,645,320 a------- c:\windows\system32\GdiPlus.dll
2009-08-13 17:22 604,488 a------- c:\windows\system32\TUProgSt.exe
2009-08-13 17:22 29,000 a------- c:\windows\system32\uxtuneup.dll
2009-08-13 17:22 361,288 a------- c:\windows\system32\TuneUpDefragService.exe
2009-08-09 19:43 --d----- c:\program files\LimeWire
2009-08-09 19:36 -cd----- c:\docume~1\alluse~1\applic~1\abelhadigital.com
2009-08-09 19:36 --d----- c:\docume~1\ohee\applic~1\abelhadigital.com
2009-08-09 19:36 --d----- c:\program files\HostsMan
2009-08-05 18:30 --d----- c:\program files\Aligner
2009-08-02 17:13 46,592 a--sh--- c:\windows\Thumbs.db
2009-07-29 17:17 -cd----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-29 17:17 --d----- c:\program files\SUPERAntiSpyware
2009-07-29 17:17 --d----- c:\docume~1\ohee\applic~1\SUPERAntiSpyware.com
2009-07-28 23:54 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-28 12:49 594,432 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-28 12:49 55,296 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-28 02:09 --d----- c:\docume~1\ohee\applic~1\Malwarebytes
2009-07-28 02:09 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 02:09 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-28 02:09 -cd----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-28 02:09 --d----- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2009-08-26 19:22 601,956,384 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-08-22 19:41 6,855,044 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-08-16 09:29 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 09:29 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 02:01 204,800 a------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 00:39 81,716 a------- c:\windows\system32\vsfocedgvryukw.dat
2009-07-25 05:23 411,368 ac------ c:\windows\system32\deploytk.dll
2009-07-23 16:23 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-07-21 12:05 98,304 a------- c:\windows\system32\CmdLineExt.dll
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 06:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 12:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-10 06:27 1,315,328 a------- c:\windows\system32\dllcache\msoe.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 10:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 10:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 10:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 10:09 206,848 -------- c:\windows\system32\dllcache\occache.dll
2009-07-03 10:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 10:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 10:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 10:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 10:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 04:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 01:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 01:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 01:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 01:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 01:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 01:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 01:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 01:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 04:18 92,928 a------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 07:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:36 119,808 a------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 07:36 81,920 a------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 05:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 05:31 80,896 a------- c:\windows\system32\dllcache\tlntsess.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 05:31 76,288 a------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 07:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 07:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-09 23:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-09 23:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2009-06-05 11:42 2,060,288 ac------ c:\windows\system32\usbaaplrc.dll
2009-06-03 12:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 12:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2005-06-26 13:32 616,448 ac-shr-- c:\windows\system32\cygwin1.dll
2005-06-21 20:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2006-05-03 02:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 03:47 31,232 -c-shr-- c:\windows\system32\msfDX.dll
2008-03-16 05:30 216,064 -c-shr-- c:\windows\system32\nbDX.dll
2005-02-28 11:16 240,128 ac-shr-- c:\windows\system32\x.264.exe
2009-05-06 22:37 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009050720090508\index.dat

============= FINISH: 19:25:15.41 ===============






ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/26 19:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iastor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iastor.sys
Address: 0xB182C000 Size: 872448 File Visible: No Signed: -
Status: -

Name: PCI_PNP9012
Image Path: \Driver\PCI_PNP9012
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAD2A1000 Size: 49152 File Visible: No Signed: -
Status: -

Name: splj.sys
Image Path: splj.sys
Address: 0xF74D5000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xBA732000 Size: 81920 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\modemlog_intel® 537ep v9x df pci modem.txt
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\ohee\local settings\temp\etilqs_dqn5bwhlbuug8vzthqbv
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\ohee\local settings\temp\etilqs_jo6fhqimme61zwnxgwdq
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\program files\logitech\desktop messenger\8876480\users\ohee\data\inuse.txt
Status: Allocation size mismatch (API: 32, Raw: 0)

Path: c:\documents and settings\ohee\local settings\application data\google\chrome\user data\default\thumbnails
Status: Size mismatch (API: 27148288, Raw: 27140096)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b31fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2ec80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b49170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b32580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b46900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b46b10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b4ab10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b32670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2f210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b499f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b497a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b46280

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "splj.sys" at address 0xf74f4ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "splj.sys" at address 0xf74f5032

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2b8c0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b49f10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b49f90

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b4ad90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2f070

#: 119 Function Name: NtOpenKey
Status: Hooked by "splj.sys" at address 0xf74d60c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b48180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b47f40

#: 160 Function Name: NtQueryKey
Status: Hooked by "splj.sys" at address 0xf74f510a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "splj.sys" at address 0xf74f4f8a

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b4a6f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b4a150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b31be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b4a540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b32190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2f440

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2b6a0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b494e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b47200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b47080

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2baf0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a3361f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x88387500 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_CREATE]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_CLOSE]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_READ]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_WRITE]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_QUERY_EA]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SET_EA]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x893ba558 Size: 37

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SHUTDOWN]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_CLEANUP]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SET_SECURITY]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_POWER]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_SET_QUOTA]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: st3mp28, IRP_MJ_PNP]
Process: System Address: 0x897e51f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x893d9a58 Size: 1448

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x893db688 Size: 2424

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x893d9ae0 Size: 1312

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x897f11f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a3381f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x898881f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_CREATE]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_CLOSE]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_POWER]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: iastor, IRP_MJ_PNP]
Process: System Address: 0x8a3371f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a2c91f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89317500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89317500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89317500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89317500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89317500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89317500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8985b1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8901d1f8 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_CREATE]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_CLOSE]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_READ]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_CLEANUP]
Process: System Address: 0x88fc9500 Size: 121

Object: Hidden Code [Driver: Cdfsࠅఆ扏济PhysicalDmVo, IRP_MJ_PNP]
Process: System Address: 0x88fc9500 Size: 121

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACabgrvtlrpa.sys

Service Name: vsfocewswvjygm
Image Path: C:\WINDOWS\system32\drivers\vsfocedhjgufub.sys

Shadow SSDT
-------------------
#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b30e70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b30f20

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b30fe0

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2c4c0

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2fd60

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b31250

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2c0a0

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xb1b2c310

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:03:04 PM

Posted 10 September 2009 - 11:24 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:03:04 PM

Posted 15 September 2009 - 06:58 PM

Due to the lack of feedback, this Topic is now closed.

In case you still have problems, please send me a Private message to reopen this topic within the next 5 days. Beyond that point, please start a new topic.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users