Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit - [Computer 1] antivirus wont run - AV websites blocked - google links redirecting


  • This topic is locked This topic is locked
15 replies to this topic

#1 jsteinpka

jsteinpka

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 07 September 2009 - 01:18 AM

Hi everybody,

I have recently been affected by nasty viruses/trojans on both my pc and my laptop. I will start with my laptop since it is newer.

I have had the laptop for about a year now, running Vista with no problems and no viruses or spyware to bother me. I now have a malicious infection on the computer which has caused a number of issues:

-Internet Explorer opens, but does not load any websites
-Firefox works, but all Google links redirect to useless websites
- All antivirus websites are somehow blocked and Firefox cannot find their servers. This means I cannot run online virus scans
-My Norton Protection Center antivirus (which is also expired) freezes upon trying to run a virus scan
-AVG cannot install because when it tries to connect to the update server, the virus blocks the connection and it cannot find the server.
-my laptop had its first ever blue screen of death and restarted
- Upon restart, the computer now runs incredibly slow and Performance CPU Usage ranges from 97% to 100% while in the Processes tab of Task Manager nothing seems to be eating up any CPU at all.
-There are false instances of iexplore.exe using up memory (these come and go)
-I tried running the GMER program but it caused my computer to blue screen and crash for the second time

Please help, I don't know what to do!!

Here are my logs:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Justin at 22:29:57.86 on 06/09/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_07
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.2.1033.18.1013.344 [GMT -4:00]

AV: Norton Internet Security *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxddcoms.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Users\Justin\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\conime.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Justin\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ca/
uSEARCH PAGE = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/sp/*http://ca.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.ca.acer.yahoo.com
mDefault_Page_URL = hxxp://en.ca.acer.yahoo.com
uSearchURL,(Default) = hxxp://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [Acer Tour Reminder]
uRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Acer Tour]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [eRecoveryService]
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\justin\appdata\roaming\mozilla\firefox\profiles\unncc84l.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20081114.002\IDSvix86.sys [2008-11-15 270384]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-9-3 179712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-16 99376]

=============== Created Last 30 ================

2009-09-06 10:32 <DIR> --dsh--- c:\windows\system32\lowsec
2009-09-06 09:50 0 a------- c:\windows\SC.INS
2009-09-06 09:50 0 a------- c:\windows\sc.exe
2009-09-06 09:50 <DIR> --d----- c:\program files\Protection System
2009-09-04 22:59 304 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-09-04 22:56 520 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-09-04 18:44 177,330,237 a------- c:\windows\MEMORY.DMP
2009-09-04 18:19 <DIR> --d----- c:\users\justin\appdata\roaming\AVG8
2009-09-04 18:04 258,048 a------- C:\5921549.exe
2009-09-04 18:04 176,640 a------- C:\3302358.exe
2009-09-04 18:03 492 a------- C:\5757105.exe
2009-09-04 18:03 <DIR> --dsh--- c:\windows\system32\%APPDATA%
2009-09-03 21:43 <DIR> --d----- c:\programdata\SITEguard
2009-09-03 21:43 <DIR> --d----- c:\progra~2\SITEguard
2009-09-03 21:41 <DIR> --d----- c:\program files\common files\iS3
2009-09-03 21:41 <DIR> --d----- c:\programdata\STOPzilla!
2009-09-03 21:41 <DIR> --d----- c:\progra~2\STOPzilla!
2009-08-30 13:12 <DIR> --d----- c:\programdata\Apple Computer
2009-08-24 17:23 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-24 17:23 218,624 a------- c:\windows\system32\msv1_0.dll
2009-08-24 17:23 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-24 17:23 270,848 a------- c:\windows\system32\schannel.dll
2009-08-24 17:23 1,259,008 a------- c:\windows\system32\lsasrv.dll
2009-08-24 17:23 439,864 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-24 17:23 72,704 a------- c:\windows\system32\secur32.dll
2009-08-24 17:23 9,728 a------- c:\windows\system32\lsass.exe
2009-08-24 17:23 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-24 17:20 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-24 17:20 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-24 17:20 71,680 a------- c:\windows\system32\atl.dll

==================== Find3M ====================

2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 154,112 a------- c:\windows\system32\ieUnatt.exe
2009-07-15 08:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-07-15 08:39 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-07-15 08:39 4,096 a------- c:\windows\system32\dxmasf.dll
2009-07-15 08:39 7,680 a------- c:\windows\system32\spwmp.dll
2009-06-15 10:53 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 10:52 23,552 a------- c:\windows\system32\lpk.dll
2009-06-15 10:52 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 10:51 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:42 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-01 19:31 86,016 a------- c:\windows\inf\infpub.dat
2009-06-01 19:31 143,360 a------- c:\windows\inf\infstrng.dat
2009-06-01 19:31 143,360 a------- c:\windows\inf\infstor.dat
2009-05-27 18:46 665,600 a------- c:\windows\inf\drvindex.dat
2008-09-11 16:11 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 22:36:30.79 ===============






ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/07 02:10
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8C4E9000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x8C4F4000 Size: 40960 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAB35B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: spul.sys
Image Path: C:\Windows\System32\Drivers\spul.sys
Address: 0x8623C000 Size: 1048576 File Visible: No Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1188 Status: Locked to the Windows API!

SSDT
-------------------
#: 013 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8bc47320

#: 014 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8bc47358

#: 018 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x83bff1a8

#: 054 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8ba32688

#: 067 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x83c09370

#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8bcc55e0

#: 147 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x83bd2bf8

#: 156 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8ca84158

#: 158 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8bc472e8

#: 177 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x852535f0

#: 184 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8ca858b0

#: 195 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8ca9e500

#: 202 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x83c08200

#: 282 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8ca85258

#: 289 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8bb12d90

#: 305 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x83bd2a58

#: 306 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x83c080a8

#: 330 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8ca12358

#: 331 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8bb12d20

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85e79ee8

#: 335 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8bb12d58

#: 348 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8ca85e78

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x83bff118

Stealth Objects
-------------------
Object: Hidden Module [Name: rotscxkpginrcx.dll]
Process: svchost.exe (PID: 816) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: RacAgent.exe]
Process: svchost.exe (PID: 1068) Address: 0x00a10000 Size: 49152

Object: Hidden Module [Name: rotscxxrrnstyr.dll]
Process: Explorer.EXE (PID: 1636) Address: 0x00850000 Size: 28672

Object: Hidden Module [Name: rotscxklptpgrw.dll]
Process: Explorer.EXE (PID: 1636) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: rotscxklptpgrw.dll]
Process: firefox.exe (PID: 4208) Address: 0x007c0000 Size: 28672

Object: Hidden Module [Name: rotscxxrrnstyr.dll]
Process: firefox.exe (PID: 4208) Address: 0x01090000 Size: 28672

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x843bf1f8 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CREATE]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_READ]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_WRITE]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: fastfat, IRP_MJ_PNP]
Process: System Address: 0x842f6500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x843bd1f8 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CREATE]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_READ]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_WRITE]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_POWER]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: cdrom, IRP_MJ_PNP]
Process: System Address: 0x85358500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8524c1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CREATE]
Process: System Address: 0x85a3b1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLOSE]
Process: System Address: 0x85a3b1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85a3b1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85a3b1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_CLEANUP]
Process: System Address: 0x85a3b1f8 Size: 121

Object: Hidden Code [Driver: Smb, IRP_MJ_PNP]
Process: System Address: 0x85a3b1f8 Size: 121

Object: Hidden Code [Driver: netbt薥, IRP_MJ_CREATE]
Process: System Address: 0x85c2a500 Size: 121

Object: Hidden Code [Driver: netbt薥, IRP_MJ_CLOSE]
Process: System Address: 0x85c2a500 Size: 121

Object: Hidden Code [Driver: netbt薥, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c2a500 Size: 121

Object: Hidden Code [Driver: netbt薥, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c2a500 Size: 121

Object: Hidden Code [Driver: netbt薥, IRP_MJ_CLEANUP]
Process: System Address: 0x85c2a500 Size: 121

Object: Hidden Code [Driver: netbt薥, IRP_MJ_PNP]
Process: System Address: 0x85c2a500 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_CREATE]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_CLOSE]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_POWER]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: iScsiPrt, IRP_MJ_PNP]
Process: System Address: 0x853471f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CREATE]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_READ]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_WRITE]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SHUTDOWN]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_CLEANUP]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_POWER]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: volmgr, IRP_MJ_PNP]
Process: System Address: 0x843bb1f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_CREATE]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_CLOSE]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_POWER]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: ahfcnno0Ѕ灓摴Ỡ蘪Ỡ蘪뵰諂, IRP_MJ_PNP]
Process: System Address: 0x853451f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8524d1f8 Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_POWER]
Process: System Address: 0x843be1f8 Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x843be1f8 Size: 121

Object: Hidden Code [Driver: msahci, IRP_MJ_PNP]
Process: System Address: 0x843be1f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLOSE]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_READ]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_WRITE]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_EA]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_POWER]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: mrxsmb, IRP_MJ_PNP]
Process: System Address: 0x85a451f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_CREATE]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_CLOSE]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_READ]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_WRITE]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_SHUTDOWN]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_CLEANUP]
Process: System Address: 0x83cce1f8 Size: 121

Object: Hidden Code [Driver: cdfs瑎楦晈藧܀菎Б浍慃镐뮏쀌萚, IRP_MJ_PNP]
Process: System Address: 0x83cce1f8 Size: 121

==EOF==


Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 10 September 2009 - 12:05 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 10 September 2009 - 05:12 PM

Hello fenzodahl512,

Thank you for helping me with my problem.

Here's what just happened:

Norton wouldn't open via the taskbar icon or the start menu shortcut. So I restarted the computer, and the virus re-arranged my desktop icons and added three shortcuts: youporn.com, pornotube.com, and nudetube.com.

I was then able to open Norton Internet Security and disable all of the features except one - when I disable "Intrusion Prevention", it stays ON. (screenshot attached)

Then I tried to run combo-fix.exe, but I got a warning stating that it is UNSAFE TO CONTINUE and that I may have a file-patching virus. (screenshot attached).

Please help!

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 10 September 2009 - 11:39 PM

Please show hidden files and folders

Please go to VirusTotal.

1. Browse these files

C:\Windows\explorer.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\winlogon.exe
C:\Windows\regedit.exe


2. Hit the Send File >> Don't close the browser!

3. If the files have been analyze before, click on the Reanalyze file now button

4. Let it do the scanning until finish

5. Copy the report and paste it here (alternatively you can just post the link of the result)

Note: you can only send one file at a time..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 03:09 PM

Hi,

I made all hidden files and folders show, but I can't get to the Virustotal website. This is one of many websites the virus is blocking, along with mcafee.com, kaspersky.com, avg.com, norton.com, etc.

Is there somewhere else I can go to do the virustotal scan?

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 11 September 2009 - 03:12 PM

Can you upload it at VirSCAN.org FREE on-line scan service

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 03:13 PM

Yes, I can get there - I will upload the files now.

#8 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 03:16 PM

http://virscan.org/report/ed4fd61ba77f2abf...ce2eb4e2be.html

http://www.virscan.org/report/cde122390fa3...e4cb4be516.html

#9 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 03:23 PM

http://www.virscan.org/report/3c0cc5be1f94...792c505a07.html

http://www.virscan.org/report/6e1710979dcd...e03a7c70bb.html

I don't know if the first three files even scanned, but the fourth one found some viruses. What should I do next?

BTW I really appreciate your help.

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 11 September 2009 - 03:34 PM

Well, the computer is infected with Virut.. Looking at log, I would advised you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.pif/.asp/.php/.iso files... Since the computer already infected with Virut, you have to wipe the machine clean..

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well

A quote from an expert (sUBs)

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.


full reformat means, format on ALL partitions..

I'll let this topic to reopen until you successfully reformat the computer..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 03:45 PM

Are you serious??? I don't think I got a copy of windows on disc with my computer - just the software pre-installed!!!!

How do I reinstall Windows if I reformat?


I'm trying to find information on the website you posted but havent found anything helpful.

Edited by jsteinpka, 11 September 2009 - 03:50 PM.


#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 11 September 2009 - 03:58 PM

Are you serious??


When it comes to Virut.. I'm 10000% serious.. No joke here..

I don't think I got a copy of windows on disc with my computer - just the software pre-installed!!!!


You need a Windows CD..

How do I reinstall Windows if I reformat?


http://support.microsoft.com/kb/313348


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 04:04 PM

I have Vista and a legit product key - but no CD - do you know how I would go about getting my hands on one? Could I use anybody's Vista cd or does it have to be a certain copy?

Also, the drive is partitioned and I have a D: with what looks like an OEM reset application. Would this be an option I can use?

Edited by jsteinpka, 11 September 2009 - 04:07 PM.


#14 jsteinpka

jsteinpka
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:12:34 AM

Posted 11 September 2009 - 04:14 PM

I just spoke with the guy at the computer store where I bought the laptop and he said that I could perform a recovery of the operating system from the partitioned drive by hitting F10 on boot-up. (this includes reformat, etc.) Would you recommend this, or should I contact the manufacturer (ACER) for support?

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:12:34 PM

Posted 11 September 2009 - 09:52 PM

should I contact the manufacturer (ACER) for support?


This is the best thing to do...


I just spoke with the guy at the computer store where I bought the laptop and he said that I could perform a recovery of the operating system from the partitioned drive by hitting F10 on boot-up.


You can try it.. But I won't guarantee if the "Recovery Partition" is also clean..

Or, you can try to use Dr.Web LiveCD at your own risk.. I won't guarantee its effectiveness, but if there's a way to combat Virut, this is the only way.. If its fails, then, reformat it is..

http://www.freedrweb.com/livecd/

You have to download and burn it from another clean computer..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users