Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

jqsnotify.exe - Entry Point Not Found [Virus removal help]


  • This topic is locked This topic is locked
6 replies to this topic

#1 Flowerpoddess

Flowerpoddess

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 September 2009 - 01:04 AM

I downloaded a couple bad programs I suppose, they show up as Virus or Malware on my AVG Virus scanner. However, these two clearly state that they're viruses and I'd like to remove them. These are the locations.

C:\Program Files\Java\jre6\bin\java.exe (3396)
C:\Program Files\Internet Explorer\iexplore.exe (476)


"\\?\globalroot\systemroot\system32\gasfkyqvpttpdw.dll";"Virus identified Packed.Hidden";"Moved to Virus Vault"
"C:\Downloads\ony03O7k_adobe.all.products.v1.02.keymaker.only-core.rar:\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\gasfkyqvpttpdw.dll";"Virus identified Packed.Hidden";"Moved to Virus Vault"
"C:\Downloads\Adobe.All.Products.v1.02.Keymaker.Only-CORE\keygen.exe";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip:\keygen.exe";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\ony03O7k_adobe.all.products.v1.02.keymaker.only-core.rar:\Adobe.All.Products.v1.02.Keymaker.Only-CORE\cr-ani12.zip:\keygen.exe";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Downloads\ony03O7k_adobe.all.products.v1.02.keymaker.only-core.rar";"Virus identified Win32/Virut.Z";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (476)";"Virus identified Packed.Hidden";""
"C:\Program Files\Java\jre6\bin\java.exe (3396)";"Virus identified Packed.Hidden";""



And, I'm getting this error everytime I start Firefox or it stays running.

jqsnotify.exe - Entry Point Not Found
The procedure entry point ??_V@YAXPAX@Z could not be located in the dynamic link library msvcrt.dll


I have quite a bit of things in my Virus Vault if I were to hit delete will it get permanently deleted from my computer? Most of them are tracking cookies but just the recent findings are classified as an infection. "Virus identified Win32/Virut Z"

Please help, thanks.
Flowerpoddess

Edited by Flowerpoddess, 19 September 2009 - 01:07 AM.


BC AdBot (Login to Remove)

 


#2 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 19 September 2009 - 03:23 PM

I really need help. This error seems to be bringing on another error called b.exe and whenever I start my Photoshop application it pop out with the error below, atleast 8 times continously.

jqsnotify.exe - Entry Point Not Found
The procedure entry point ??_V@YAXPAX@Z could not be located in the dynamic link library msvcrt.dll


Please help!!!

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:52 AM

Posted 20 September 2009 - 08:42 PM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Riight-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#4 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 21 September 2009 - 08:01 AM

I will try this out however, I can't seem to connect to the internet anymore it seems. I have BOcleaner and it didn't allow an update it might be because of a firewall. However, now nothing is working and my computer is extremly slow. I can't open Firefox at all, same goes for IE. Google Chrome opens somewhat but always pops up with an error that states, "Kill" or "Wait".

I'll try using my laptop to get the above file and run it on my computer.

Flowerpoddess

#5 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 21 September 2009 - 09:06 AM

Here is the report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/21 21:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 000012FD
Image Path: 000012FD
Address: 0x85F52000 Size: 41149 File Visible: No Signed: -
Status: -

Name: 000012FD
Image Path: 000012FD
Address: 0xF0F77000 Size: 81280 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF4071000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E0000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP2994
Image Path: \Driver\PCI_PNP2994
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF10B5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sppt.sys
Image Path: sppt.sys
Address: 0xF736C000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: synsenddrv.sys
Image Path: C:\WINDOWS\system32\drivers\synsenddrv.sys
Address: 0xF0ACB000 Size: 9344 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\RootRepeal report 09-21-09 (21-16-32).txt
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\gasfkybuhrmlto.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyqjecqeww.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyqvpttpdw.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkytltblvfh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\gasfkyxymovnjr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\gasfkyqgpxspbdcd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\gasfkypyfqxdai.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\yxpvtjjzkcnwyf.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Windows\Local Settings\Temp\MessengerCache\WEG3zBbgXPKFhBtrm5y0bFRmcZw=
Status: Locked to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x86228510]!

#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331f4a

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331454

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331aee

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43324c6

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331132

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43331d6

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43334ae

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4330cf8

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4332130

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43322e0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4330a5a

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sppt.sys" at address 0xf738bca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sppt.sys" at address 0xf738c032

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4332e58

#: 105 Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43316d8

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331d32

#: 119 Function Name: NtOpenKey
Status: Hooked by "sppt.sys" at address 0xf736d0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433078a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331968

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4330902

#: 160 Function Name: NtQueryKey
Status: Hooked by "sppt.sys" at address 0xf738c10a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sppt.sys" at address 0xf738bf8a

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433288c

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331250

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4332bf4

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4333006

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433268c

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4331672

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433185c

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4330ffc

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4330eca

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x862a6b58, TID: 2096]
Process: svchost.exe (PID: 844) Address: 0x00cf1f3c Size: -

Object: Hidden Module [Name: gasfkyqjecqeww.dll]
Process: svchost.exe (PID: 844) Address: 0x00760000 Size: 53248

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8676e1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x86205500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_CREATE]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_CLOSE]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_READ]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_WRITE]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_CLEANUP]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: Udfsȅఉ晇癦່, IRP_MJ_PNP]
Process: System Address: 0x862d2500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x8676f1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86600500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x865ff500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x865fb500 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_CREATE]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_CLOSE]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_POWER]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: axm7u0asЅఅ瑎獆퐠찰, IRP_MJ_PNP]
Process: System Address: 0x8659e470 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x864c51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x867dc1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x862cf500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x862cf500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862cf500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862cf500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x862cf500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x862cf500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x862d0500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_CREATE]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_CLOSE]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_READ]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_CLEANUP]
Process: System Address: 0x86478500 Size: 121

Object: Hidden Code [Driver: Cdfsȅఛ楄�, IRP_MJ_PNP]
Process: System Address: 0x86478500 Size: 121

Hidden Services
-------------------
Service Name: gasfkypbimrdks
Image Path: C:\WINDOWS\system32\drivers\gasfkypyfqxdai.sys

Service Name: ojqur
Image Path: C:\WINDOWS\system32\drivers\yxpvtjjzkcnwyf.sys

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433528a

#: 122 Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43359ae

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43353be

#: 233 Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433586e

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43354fe

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4335632

#: 310 Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433510a

#: 319 Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433435c

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4334dda

#: 389 Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433576c

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4334b48

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4334c8a

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433482c

#: 465 Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4334094

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43344de

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf433468a

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4334f2a

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf43349ee

#: 509 Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4335020

#: 529 Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xf4334204

#: 549 Function Name: NtUserSetWindowsH==EOF==



Thank you
Flowerpoddess

#6 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:52 AM

Posted 21 September 2009 - 06:33 PM

You definitely have a rootkit. I'll save the long speech, but let me say it would be better to reformat and reinstall your operating system
If that is not an option:


Now that you were successful in creating a log you need to post it in our HJT forum:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/
Give a brief description and tell them that this log was all you could get to run successfully
The HJT team is extremely busy, so be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#7 Flowerpoddess

Flowerpoddess
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 22 September 2009 - 03:29 AM

Thank you, I will do that. The strange thing is that I tried opening FireFox and it opened without an error, I'm not sure if it was registry reset that went through because my computer was freezing alot or if BOclean is helping, because it's the last software I downloaded and I was able to open Firefox.

Flowerpoddess




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users