Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Performance decay after having a run in with a trojan.


  • This topic is locked This topic is locked
2 replies to this topic

#1 Crunchbite001

Crunchbite001

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 11 October 2009 - 07:27 PM

I've had a couple fatal errors when booting up my computer, but it still lets me go on about my business.

DDS/Rootrepeal included along with attach.



DDS (Ver_09-10-12.01) - NTFSx86
Run by Administrator at 17.11.51.28 on Sun 10/11/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.512.157 [GMT -7:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cosmi\SpyWare Killer Pro\stealth\stealthsurf.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = about:blank
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = localhost:9095
mURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {60d3aaeb-aa39-4ae0-b2f9-e4af0613a2a3} - c:\progra~1\cosmi\spyware killer pro\pop\abg_plugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {9198CEC1-4DD8-95E7-1053-F5AAFDBBE0FB} - No File
uRun: [!1_ProcessGuard_Startup] "c:\program files\processguard\procguard.exe" -minimize
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [!1_pgaccount] "c:\program files\processguard\pgaccount.exe"
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1236404592578
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\ajn24ydj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://www.mmo-champion.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-7-8 12552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-10-9 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-8 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-8 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-10 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-10 297752]
R2 DCSPGSRV;DiamondCS ProcessGuard Service v3.500;c:\program files\processguard\DCSUserProt.exe [2009-10-3 31744]
R2 procguard;procguard;c:\windows\system32\drivers\procguard.sys [2009-10-3 26688]
R2 PStrip;PSTRIP;c:\windows\system32\drivers\pstrip.sys [2007-7-14 27992]
S2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-3-9 38224]
S4 LiveTurbineMessageService;Turbine Message Service - Live;"c:\program files\turbine\turbine download manager\turbinemessageservice.exe" --> c:\program files\turbine\turbine download manager\TurbineMessageService.exe [?]
S4 LiveTurbineNetworkService;Turbine Network Service - Live;"c:\program files\turbine\turbine download manager\turbinenetworkservice.exe" --> c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [?]
S4 NOD32FiXTemDono;Eset Nod32 Boot;c:\windows\system32\regedt32.exe [2008-4-13 3584]
S4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-3-7 603904]

=============== Created Last 30 ================

2009-10-11 17:09 <DIR> --d----- c:\program files\Trend Micro
2009-10-11 14:31 3,250 a------- c:\windows\system32\wbem\Outlook_01ca4aba1fb17dfe.mof
2009-10-11 13:46 <DIR> -cd----- c:\docume~1\admini~1\applic~1\Rainmeter
2009-10-11 13:45 <DIR> --d----- c:\program files\Rainmeter
2009-10-10 12:02 <DIR> --d----- c:\program files\Koei
2009-10-09 21:19 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-10-09 21:18 <DIR> --d----- c:\program files\Panda Security
2009-10-09 11:45 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-10-09 11:44 <DIR> --d----- c:\program files\Microsoft
2009-10-09 11:44 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-10-09 11:37 <DIR> --d----- c:\program files\common files\Windows Live
2009-10-09 11:28 3,250 a------- c:\windows\system32\wbem\Outlook_01ca490e41d92111.mof
2009-10-07 21:15 <DIR> --d----- c:\program files\PowerStrip
2009-10-05 12:06 <DIR> --d----- c:\program files\BestGameEver
2009-10-05 11:14 <DIR> --d----- c:\program files\LimeWire
2009-10-03 22:53 <DIR> -cd----- c:\docume~1\admini~1\applic~1\OpenDNS Updater
2009-10-03 16:22 124,532 a------- c:\windows\system32\pghash.dat
2009-10-03 16:22 75,592 a------- c:\windows\system32\pguard.dat
2009-10-03 16:11 44,544 a------- c:\windows\system32\procguard.dll
2009-10-03 16:11 26,688 a------- c:\windows\system32\drivers\procguard.sys
2009-10-03 16:11 <DIR> --d----- c:\program files\ProcessGuard
2009-10-03 16:04 <DIR> --d----- c:\program files\SpywareBlaster
2009-10-01 10:15 <DIR> -cd-h--- c:\windows\ie8
2009-09-30 09:25 <DIR> --d----- c:\program files\Microsoft Games
2009-09-29 17:49 <DIR> --d----- c:\program files\MSXML 4.0
2009-09-28 19:51 30,592 ac------ c:\windows\system32\dllcache\rndismpx.sys
2009-09-28 19:51 12,800 ac------ c:\windows\system32\dllcache\usb8023x.sys
2009-09-28 19:51 30,592 a------- c:\windows\system32\drivers\rndismpx.sys
2009-09-28 19:51 12,800 a------- c:\windows\system32\drivers\usb8023x.sys
2009-09-28 19:51 <DIR> --d----- c:\program files\SAMSUNG
2009-09-28 19:48 <DIR> --d----- c:\program files\Windows Mobile Device Handbook
2009-09-24 11:57 <DIR> --d----- c:\program files\MSECache
2009-09-23 17:24 249,856 -------- c:\windows\Setup1.exe
2009-09-23 17:24 73,216 a------- c:\windows\ST6UNST.EXE
2009-09-23 16:10 21,840 a------- c:\windows\system32\SIntfNT.dll
2009-09-23 16:10 17,212 a------- c:\windows\system32\SIntf32.dll
2009-09-23 16:10 12,067 a------- c:\windows\system32\SIntf16.dll
2009-09-22 07:21 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-09-15 23:17 <DIR> --d----- c:\program files\iPod
2009-09-15 23:14 <DIR> --d----- c:\program files\iTunes
2009-09-15 23:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2009-10-05 23:22 1,502,720 a------- c:\windows\goInstaller.exe
2009-09-10 17:00 41,872 a------- c:\windows\system32\xfcodec.dll
2009-09-10 14:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 14:53 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-03 02:23 36,864 a------- c:\windows\system32\ctfmon.exe
2009-09-02 00:23 361,600 a------- c:\windows\system32\drivers\tcpip.sys
2009-08-18 01:20 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-08-05 02:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-30 09:41 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-28 21:37 119,808 a------- c:\windows\system32\t2embed.dll
2009-07-28 21:37 81,920 a------- c:\windows\system32\fontsub.dll
2009-07-17 12:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-08 03:18 81,920 ac------ c:\docume~1\admini~1\applic~1\ezpinst.exe
2009-07-08 03:18 47,360 ac------ c:\docume~1\admini~1\applic~1\pcouffin.sys
2009-03-22 23:46 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-03-22 23:46 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-03-22 23:46 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 17.13.22.37 ===============


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/11 17:16
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5222000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A6B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP2888
Image Path: \Driver\PCI_PNP2888
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB915F000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spsj.sys
Image Path: spsj.sys
Address: 0xF8414000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\ajn24ydj.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf883553c

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837678

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8838534

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837d71

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837c6f

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spsj.sys" at address 0xf8433ca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spsj.sys" at address 0xf8434030

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf883555e

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf883551e

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837644

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88370b3

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837452

#: 160 Function Name: NtQueryKey
Status: Hooked by "spsj.sys" at address 0xf8434108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spsj.sys" at address 0xf8433f88

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf883742f

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88367c8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88389b4

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88381f7

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837816

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837475

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88389f2

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837410

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88389d3

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88373ed

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x823dd1f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x81cad500 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_CREATE]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_CLOSE]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_POWER]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: aajf3lbaЅఅ灐†GEARAspiWDM., IRP_MJ_PNP]
Process: System Address: 0x8222a1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x8223d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x823721f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8231f500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x823df1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x81cc4500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x81cc4500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81cc4500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81cc4500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x81cc4500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x81cc4500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x822501f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x81ca01f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_CREATE]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_CLOSE]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_READ]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_SHUTDOWN]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_CLEANUP]
Process: System Address: 0x818251f8 Size: 121

Object: Hidden Code [Driver: Cdfsȅ䵃ȁఊ瑎摆쨨, IRP_MJ_PNP]
Process: System Address: 0x818251f8 Size: 121

Shadow SSDT
-------------------
#: 421 Function Name: NtUserGetMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88381d3

#: 474 Function Name: NtUserPeekMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf88381ac

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837f58

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\system32\drivers\procguard.sys" at address 0xf8837dd9

==EOF==

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:25 AM

Posted 26 October 2009 - 06:20 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:25 AM

Posted 30 October 2009 - 09:39 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users