Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

unknown infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 booworthy

booworthy

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:10:22 PM

Posted 19 September 2009 - 04:57 PM

DDS


DDS (Ver_09-07-30.01) - NTFSx86
Run by Brendan Molloy at 22:43:09.07 on 19/09/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.959.121 [GMT 1:00]

AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Microsoft Works\WkDStore.exe
C:\Program Files\Microsoft Works\wkgdcach.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\Documents and Settings\Brendan Molloy\Application Data\U3\3247430C80927AC4\LaunchPad.exe
C:\Program Files\Microsoft Works\WksWP.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Brendan Molloy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://start.icq.com/
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://search.aol.co.uk/web?isinit=true&query=%s
uURLSearchHooks: H - No File
mURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: MSN helper: {45e20dc8-b3c1-43c9-8b05-4e9cff8e65f2} - gxlx.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN helper: {ba1c005b-3a0d-45c0-8204-70b8459d4fd2} - hgop32.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: kikin Plugin: {e601996f-e400-41ca-804b-cd6373a7eee2} - c:\program files\kikin\ie_kikin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: {8AE33802-00D3-4F1B-B5C7-6FEE34E402CE} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Monopod] c:\docume~1\brenda~1\locals~1\temp\c.exe
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CTCheck] c:\program files\creative\creative zen\zen media explorer\CTCheck.exe
mRun: [Media Codec Update Service] c:\program files\essentials codec pack\update.exe -silent
mRun: [PCSuiteTrayApplication] c:\program files\nokia\nokia pc suite 6\LaunchApplication.exe -startup
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] c:\program files\nokia\nokia pc suite 6\PcSync2.exe /NoDialog
StartupFolder: c:\docume~1\brenda~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.3\program\quickstart.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-gb\local\search.html
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6.5\ICQ.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0F7195C2-6713-4d93-A1BC-DA5FA33F0A65} - {E601996F-E400-41CA-804B-CD6373A7EEE2} - c:\program files\kikin\ie_kikin.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/fhg.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: {B7DE6EAC-59C3-43DB-A9EA-99050263DD78} = 92.31.242.20,92.31.242.21
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brenda~1\applic~1\mozilla\firefox\profiles\dqg5bns6.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - hxxp://start.icq.com/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\brendan molloy\application data\mozilla\firefox\profiles\dqg5bns6.default\extensions\{aa994882-f391-4d2e-806f-8908da4814ed}\components\kikin.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\nexoneu\ngm\npNxGameeu.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-8-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-8-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-8-31 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090916.003\IDSXpx86.sys [2009-9-17 329080]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R2 HssSrv;Hotspot Shield Routing Service;c:\program files\hotspot shield\hsswpr\hsssrv.exe [2009-8-6 331824]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-8-31 117640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090919.002\NAVENG.SYS [2009-9-19 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090919.002\NAVEX15.SYS [2009-9-19 1323568]
R3 tap0901;TAP-Win32 Adapter V9;c:\windows\system32\drivers\tap0901.sys [2009-7-22 28592]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\hotspot shield\bin\HssTrayService.exe [2009-8-11 57640]

=============== Created Last 30 ================

2009-09-19 21:14 1,469 a------- c:\windows\system32\nk.dat
2009-09-19 21:04 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 14:05 45 a------- c:\windows\system32\ca.dat
2009-09-17 00:39 1 a------- c:\windows\system32\idm.dat
2009-09-17 00:39 1 a------- c:\windows\system32\c2d.dat
2009-09-14 03:03 0 a------- c:\windows\system32\cd.dat
2009-09-14 01:35 <DIR> --d----- c:\program files\IGZones
2009-09-13 15:19 <DIR> --d----- c:\program files\ICQ6Toolbar
2009-09-13 15:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ICQ
2009-09-13 15:16 <DIR> --d----- c:\program files\ICQ6.5
2009-09-11 19:07 <DIR> --d----- c:\program files\Garena
2009-09-10 17:00 33,792 a------- c:\windows\system32\gxlr.dll
2009-09-10 16:50 17,916 a------- c:\windows\system32\jfg
2009-09-10 16:50 33,792 a------- c:\windows\system32\gxlx.dll
2009-09-09 12:46 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-08 13:48 <DIR> --d----- c:\windows\pss
2009-09-04 08:58 <DIR> --d----- c:\program files\Smart Virus Remover
2009-09-03 19:08 1 a------- c:\windows\system32\q1.dat
2009-09-03 14:00 33,280 a------- c:\windows\system32\hgop32.dll
2009-09-03 13:45 16,652 a------- c:\windows\system32\gdj
2009-09-03 13:45 33,280 a------- c:\windows\system32\hjop32.dll
2009-09-03 13:45 62,976 a------- c:\windows\system32\inform.dat
2009-08-29 20:14 <DIR> --d----- c:\program files\Half-Life 2 Deathmatch
2009-08-29 14:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nexon
2009-08-29 11:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonEU
2009-08-29 10:01 <DIR> --d----- C:\Download
2009-08-29 09:59 421,888 a------- c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-08-25 18:52 <DIR> --d----- c:\program files\Tremulous

==================== Find3M ====================

2009-09-19 21:58 15,210 a------- c:\docume~1\brenda~1\applic~1\wklnhst.dat
2009-08-20 15:53 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-20 15:53 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-08-20 15:53 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-20 15:53 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-20 15:52 26,600 a----r-- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-20 15:52 107,368 a----r-- c:\windows\system32\GEARAspi.dll
2009-08-18 20:20 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-08-15 13:10 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-04 17:31 34 a------- c:\documents and settings\brendan molloy\jagex_runescape_preferences.dat
2009-07-22 20:13 28,592 a------- c:\windows\system32\drivers\tap0901.sys
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-06-29 17:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 17:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 17:12 17,408 -------- c:\windows\system32\corpol.dll
2009-06-28 00:29 348,160 a------- c:\windows\system32\msvcr71.dll
2009-06-25 09:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 09:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 09:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 09:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 09:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 09:25 54,272 a------- c:\windows\system32\wdigest.dll
2006-05-31 07:39 181,745 a------- c:\program files\JUN2006_XACT_x64.cab
2006-05-31 07:39 134,631 a------- c:\program files\JUN2006_XACT_x86.cab
2006-05-31 07:39 41,998 a------- c:\program files\dxdllreg_x86.cab
2006-05-31 07:25 82,190 a------- c:\program files\dxupdate.cab
2006-05-31 07:24 2,248,984 a------- c:\program files\dsetup32.dll
2006-05-31 07:23 484,632 a------- c:\program files\DXSETUP.exe
2006-05-31 07:22 74,520 a------- c:\program files\DSETUP.dll
2006-03-31 13:56 4,163,518 -------- c:\program files\Apr2006_MDX1_x86_Archive.cab
2006-03-31 13:56 1,398,718 -------- c:\program files\Apr2006_d3dx9_30_x64.cab
2006-03-31 13:56 1,116,109 -------- c:\program files\Apr2006_d3dx9_30_x86.cab
2006-03-31 13:56 917,318 -------- c:\program files\Apr2006_MDX1_x86.cab
2006-03-31 13:56 180,021 -------- c:\program files\Apr2006_XACT_x64.cab
2006-03-31 13:56 87,989 -------- c:\program files\Apr2006_xinput_x64.cab
2006-03-31 13:56 46,898 -------- c:\program files\Apr2006_xinput_x86.cab
2006-03-31 13:56 133,991 -------- c:\program files\Apr2006_XACT_x86.cab
2006-02-03 10:00 1,363,684 -------- c:\program files\Feb2006_d3dx9_29_x64.cab
2006-02-03 10:00 1,085,608 -------- c:\program files\Feb2006_d3dx9_29_x86.cab
2006-02-03 10:00 179,247 -------- c:\program files\Feb2006_XACT_x64.cab
2006-02-03 10:00 133,297 -------- c:\program files\Feb2006_XACT_x86.cab
2005-12-05 19:31 1,358,864 -------- c:\program files\Dec2005_d3dx9_28_x64.cab
2005-12-05 19:31 1,080,344 -------- c:\program files\Dec2005_d3dx9_28_x86.cab
2005-12-05 19:31 86,925 -------- c:\program files\Oct2005_xinput_x64.cab
2005-12-05 19:31 46,247 -------- c:\program files\Oct2005_xinput_x86.cab
2005-07-22 20:14 1,351,430 -------- c:\program files\Aug2005_d3dx9_27_x64.cab
2005-07-22 20:14 1,078,532 -------- c:\program files\Aug2005_d3dx9_27_x86.cab
2005-05-26 15:49 1,336,890 -------- c:\program files\Jun2005_d3dx9_26_x64.cab
2005-05-26 15:49 1,065,813 -------- c:\program files\Jun2005_d3dx9_26_x86.cab
2005-03-18 18:40 1,348,242 -------- c:\program files\Apr2005_d3dx9_25_x64.cab
2005-03-18 18:40 1,079,850 -------- c:\program files\Apr2005_d3dx9_25_x86.cab
2005-02-05 21:03 1,248,387 -------- c:\program files\Feb2005_d3dx9_24_x64.cab
2005-02-05 21:03 1,014,113 -------- c:\program files\Feb2005_d3dx9_24_x86.cab
2004-09-27 12:29 13,265,040 -------- c:\program files\dxnt.cab
2004-09-27 12:29 15,493,481 -------- c:\program files\DirectX.cab
2004-09-27 12:29 1,156,363 -------- c:\program files\BDANT.cab
2004-09-27 12:29 976,020 -------- c:\program files\BDAXP.cab
2004-09-27 12:29 703,080 -------- c:\program files\BDA.cab
2009-02-15 00:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009021420090215\index.dat

============= FINISH: 22:44:06.82 ===============


ROOT REPEAL LOG



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/19 22:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF01D1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B56000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP3434
Image Path: \Driver\PCI_PNP3434
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECC3E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speh.sys
Image Path: speh.sys
Address: 0xF743A000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF732B000 Size: 323584 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x85fb5408

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x85e91bd8

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x85e80cd0

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x85cc6cd0

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x861ebc68

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf0647130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8614d1f8

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x860ec238

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85c74430

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x85e93240

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf06473b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf0647910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x85f5f520

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "speh.sys" at address 0xf7459ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "speh.sys" at address 0xf745a032

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x860f68c0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85f79b48

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8608ecd0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x861f9438

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x85fb1d78

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85e96370

#: 119 Function Name: NtOpenKey
Status: Hooked by "speh.sys" at address 0xf743b0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x860ffc00

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x860a8b18

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x85f5c728

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x85f774d0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x860ec308

#: 160 Function Name: NtQueryKey
Status: Hooked by "speh.sys" at address 0xf745a10a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "speh.sys" at address 0xf7459f8a

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85f43b10

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85f5a3e8

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x85f6c280

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x861bf230

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xf0647b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85fbb770

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x860d34c8

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85fe48a8

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85f5a858

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x861c3980

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85fb5900

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x863d91f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x850491f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x861a4500 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x8434f1f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x861c61f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8636c1f8 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_CREATE]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_CLOSE]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_POWER]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: agruq1koȅ敓ȁః䅓瑰Ȃ, IRP_MJ_PNP]
Process: System Address: 0x86140500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85c5d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85c5d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c5d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c5d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85c5d500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85c5d500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x861b1500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85f49500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_CREATE]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_CLOSE]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_READ]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_CLEANUP]
Process: System Address: 0x85050500 Size: 121

Object: Hidden Code [Driver: CdfsЅఘ瑎獆蘋, IRP_MJ_PNP]
Process: System Address: 0x85050500 Size: 121

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x85fd7500

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x85c79210

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x85fcc990

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x85f8e438

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x8505c388

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x84fe91f8

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84fe51f8

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x84fe71f8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x8504d610

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x85f8cb18

==EOF==

Attached Files


Edited by booworthy, 19 September 2009 - 04:59 PM.


BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:22 PM

Posted 06 October 2009 - 08:34 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 PM

Posted 14 October 2009 - 12:45 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users