Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

desktop problem might be related with virus


  • This topic is locked This topic is locked
2 replies to this topic

#1 dimitri88

dimitri88

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:04 PM

Posted 13 October 2009 - 07:49 AM

im a total newbie to this. my desktop takes a while to refresh more like its blinking relatively slow. it started after i inserted a flashdrive filled with virus which i forgot to scan. help very much appreciated.

DDS (Ver_09-10-13.01) - NTFSx86
Run by User at 20:44:26.93 on Tue 10/13/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1978.1304 [GMT 8:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\USB Disk Security\USBGuard.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\program files\advanced system optimizer\memtuneup.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Vista Rainbar\Rainmeter.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\explorer.exe
D:\Documents\Downloads\Programs\dds.EXE

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.microsoft.com
udefault_page_url = hxxp://www.microsoft.com
mDefault_Page_URL = hxxp://www.microsoft.com
mStart Page = hxxp://www.microsoft.com
mWindow Title = Microsoft Internet Explorer
mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: GigagetIEHelper Class: {111caa23-6f4f-42ac-8555-b48c1d87bbab} - c:\windows\system32\gigagetbho_v10.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CursorXP] c:\program files\cursorxp\CursorXP.exe
uRun: [SpeedswitchXP] c:\program files\speedswitchxp\SpeedswitchXP.exe
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [Systweak Memory Optimizer] c:\program files\advanced system optimizer\memtuneup.exe
uRun: [Vista Rainbar] c:\program files\vista rainbar\Vista Rainbar.exe
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [USB Antivirus] c:\program files\usb disk security\USBGuard.exe
mRun: [GrooveMonitor] c:\program files\microsoft office\office12\GrooveMonitor.exe
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
IE: &Download All by Gigaget - c:\program files\giganology\gigaget\getallurl.htm
IE: &Download by Gigaget - c:\program files\giganology\gigaget\geturl.htm
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: WB - c:\program files\alienguise\fastload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ib6wl7h9.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - component: c:\documents and settings\user\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 600000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 600000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0

============= SERVICES / DRIVERS ===============

R0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2009-9-26 132296]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2009-9-26 25160]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-5-14 94360]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-5-15 61424]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-5-14 731840]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-9-3 604488]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-8-29 110080]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-8-29 112992]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-8-29 38400]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-4-21 1684736]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

=============== Created Last 30 ================

2009-10-13 19:35 <DIR> --d----- C:\Autoruns
2009-10-13 16:40 <DIR> --d----- c:\documents and settings\user\New Folder
2009-10-13 00:39 <DIR> --d----- c:\program files\IrfanView
2009-10-13 00:03 664 a------- c:\windows\system32\d3d9caps.dat
2009-10-12 20:07 <DIR> --d----- c:\documents and settings\user\DoctorWeb
2009-10-12 10:09 292,197 a------- c:\windows\InvaderDark1280.jpg
2009-10-07 14:52 <DIR> --d----- c:\program files\PopCap Games2
2009-10-06 17:27 <DIR> --d----- C:\My Download Files
2009-10-06 16:37 515,416 a------- c:\windows\system32\XAudio2_5.dll
2009-10-06 16:37 238,936 a------- c:\windows\system32\xactengine3_5.dll
2009-10-06 16:37 1,974,616 a------- c:\windows\system32\D3DCompiler_42.dll
2009-10-06 16:37 5,501,792 a------- c:\windows\system32\d3dcsx_42.dll
2009-10-06 16:37 235,344 a------- c:\windows\system32\d3dx11_42.dll
2009-10-06 16:37 453,456 a------- c:\windows\system32\d3dx10_42.dll
2009-10-06 16:37 1,892,184 a------- c:\windows\system32\D3DX9_42.dll
2009-10-04 13:51 <DIR> --d----- c:\program files\ReflexiveArcade
2009-10-03 21:46 120,056 -------- c:\windows\system32\pxcpyi64.exe
2009-10-03 21:46 118,520 -------- c:\windows\system32\pxinsi64.exe
2009-10-03 21:45 <DIR> --d----- c:\program files\common files\DivX Shared
2009-10-02 22:32 25 a------- c:\windows\popcinfot.dat
2009-10-02 22:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap Games
2009-10-02 15:18 1,970,176 a------- c:\windows\system32\d3dx9.dll
2009-10-02 15:18 679,936 a------- c:\windows\system32\D3DX81ab.dll
2009-10-02 15:18 <DIR> --d----- c:\program files\Cheat Engine
2009-09-29 22:41 <DIR> --d----- c:\program files\GodsWar Online
2009-09-26 23:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Comodo
2009-09-26 23:32 179,792 a------- c:\windows\system32\guard32.dll
2009-09-26 23:32 132,296 a------- c:\windows\system32\drivers\cmdguard.sys
2009-09-26 23:32 25,160 a------- c:\windows\system32\drivers\cmdhlp.sys
2009-09-24 22:27 <DIR> --d----- c:\docume~1\user\applic~1\IObit
2009-09-24 22:27 <DIR> --d----- c:\program files\IObit
2009-09-24 00:50 <DIR> --d----- c:\docume~1\user\applic~1\IDM
2009-09-24 00:50 <DIR> --d----- c:\program files\Internet Download Manager
2009-09-22 17:40 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 17:40 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-22 17:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-22 17:16 <DIR> --d----- c:\program files\ESET
2009-09-22 14:51 <DIR> --d----- C:\CSWARE
2009-09-22 14:11 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-09-22 13:34 <DIR> --d----- c:\docume~1\user\applic~1\Rainmeter
2009-09-22 13:31 <DIR> --d----- c:\program files\Vista Rainbar
2009-09-21 23:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-09-21 23:23 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-09-21 23:23 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-09-21 09:26 <DIR> --d-h--- C:\AUTORUN.INF
2009-09-21 02:31 <DIR> --d----- c:\program files\ABC Amber ICL Converter
2009-09-21 01:07 <DIR> --d----- c:\program files\Combined Community Codec Pack
2009-09-21 00:44 <DIR> --d----- c:\documents and settings\user\Bluetooth Software
2009-09-21 00:41 106,557 a------- c:\windows\system32\btw_ci.dll
2009-09-21 00:41 74,656 a------- c:\windows\system32\drivers\btwusb.sys
2009-09-21 00:41 55,352 a------- c:\windows\system32\drivers\btwhid.sys
2009-09-21 00:41 879,528 a------- c:\windows\system32\drivers\btkrnl.sys
2009-09-21 00:41 539,576 a------- c:\windows\system32\drivers\btaudio.sys
2009-09-21 00:41 156,392 a------- c:\windows\system32\drivers\btwdndis.sys
2009-09-21 00:41 37,424 a------- c:\windows\system32\drivers\btport.sys
2009-09-21 00:40 <DIR> --d----- c:\program files\WIDCOMM
2009-09-20 22:10 <DIR> --d----- c:\program files\AveIconifier2
2009-09-20 21:35 <DIR> --d----- c:\docume~1\user\applic~1\uniblue
2009-09-20 20:00 <DIR> --d----- c:\docume~1\user\applic~1\Systweak
2009-09-20 19:47 <DIR> --d----- c:\program files\Advanced System Optimizer
2009-09-19 21:40 <DIR> --d----- c:\program files\Trend Micro
2009-09-19 11:33 <DIR> --d----- c:\docume~1\user\applic~1\Stardock
2009-09-19 11:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Stardock
2009-09-19 00:30 42 a------- c:\windows\system32\RegistryEasy.lie
2009-09-18 09:55 5,760,054 a------- c:\windows\ALX_1600x1200.bmp
2009-09-18 06:53 <DIR> --d----- c:\program files\GRETECH
2009-09-17 18:28 <DIR> --d----- c:\docume~1\user\applic~1\FrostWire
2009-09-17 17:35 <DIR> --d----- c:\program files\AlienGUIse
2009-09-17 14:41 45,056 a------- c:\windows\system32\sstunst3.exe
2009-09-17 13:37 <DIR> --d----- c:\program files\Hypercam
2009-09-16 22:55 3,932,214 a------- c:\windows\InvaderDark1280.bmp
2009-09-16 22:53 3,932,214 a------- c:\windows\AW_XenoMorph1280.bmp
2009-09-16 22:52 5,760,054 a------- c:\windows\AW_1600x1200.bmp
2009-09-16 22:51 5,760,056 a------- c:\windows\Darkstar.bmp
2009-09-16 08:39 <DIR> --d----- c:\program files\K-Lite Codec Pack
2009-09-16 00:40 <DIR> --d----- c:\docume~1\user\applic~1\Comodo
2009-09-15 22:21 <DIR> --d----- c:\program files\RocketDock
2009-09-14 21:32 <DIR> --d----- c:\program files\DFX
2009-09-14 19:59 4,074 a------- c:\windows\BricoPackFoldersDelete.cmd
2009-09-14 17:40 <DIR> --d----- c:\docume~1\user\applic~1\Launchy
2009-09-14 17:09 <DIR> --d----- c:\program files\SpeedswitchXP
2009-09-14 16:36 <DIR> --d----- C:\logs
2009-09-14 16:35 <DIR> --d----- c:\program files\Chikka Messenger

==================== Find3M ====================

2009-09-19 12:57 2,285,056 a------- c:\windows\system32\TUKernel.exe
2009-09-18 17:24 1,474,832 a------- c:\windows\system32\drivers\sfi.dat
2009-09-14 20:01 54,720 a------- c:\windows\BricoPackUninst.cmd
2009-09-06 07:35 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-09-05 22:33 774,144 a------- c:\program files\RngInterstitial.dll
2009-09-04 17:44 69,464 a------- c:\windows\system32\XAPOFX1_3.dll
2009-09-03 15:40 218,624 a------- c:\windows\system32\uxtheme.dll
2009-09-03 11:28 604,488 a------- c:\windows\system32\TUProgSt.exe
2009-09-03 11:28 361,288 a------- c:\windows\system32\TuneUpDefragService.exe
2009-08-30 15:33 411,368 a------- c:\windows\system32\deploytk.dll
2009-08-30 10:48 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-30 10:48 0 a---h--- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-08-29 23:29 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-29 14:12 505,128 a------- c:\windows\system32\msvcp71.dll
2009-08-29 14:12 29,480 a------- c:\windows\system32\msxml3a.dll
2009-08-29 14:11 353,576 a------- c:\windows\system32\msvcr71.dll
2009-08-29 13:48 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_SynTP_01007.Wdf
2009-08-29 13:48 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-08-29 13:28 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-08-16 23:08 178,176 a------- c:\windows\system32\unrar.dll

============= FINISH: 20:44:48.89 ===============

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/13 22:30
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: PCI_PNP9622
Image Path: \Driver\PCI_PNP9622
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal_2.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal_2.sys
Address: 0xA5561000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spfi.sys
Image Path: spfi.sys
Address: 0xF74D5000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x88e578a0

#: 041 Function Name: NtCreateKey
Status: Hooked by "spfi.sys" at address 0xf74d60e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spfi.sys" at address 0xf74f4ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spfi.sys" at address 0xf74f5032

#: 119 Function Name: NtOpenKey
Status: Hooked by "spfi.sys" at address 0xf74d60c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x88e56cb0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x88e570d0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spfi.sys" at address 0xf74f510a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spfi.sys" at address 0xf74f4f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spfi.sys" at address 0xf74f519c

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x88e576d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x88e574f0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x88e56ee0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x88e57310

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x8a143888]
Process: System Address: 0x88e55930 Size: 1000

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8a3671f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x89f42500 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x8a2f71f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x8a0de1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8a3691f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x89585500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x89585500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89585500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89585500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x89585500 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x89585500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8a0bf1f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_CREATE]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_CLOSE]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_POWER]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: Program, IRP_MJ_PNP]
Process: System Address: 0x8a0631f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x895ea500 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_CREATE]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_CLOSE]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_READ]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_CLEANUP]
Process: System Address: 0x8a1583b0 Size: 121

Object: Hidden Code [Driver: USB#Vid_, IRP_MJ_PNP]
Process: System Address: 0x8a1583b0 Size: 121

==EOF==

Edited by dimitri88, 13 October 2009 - 09:38 AM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:04 AM

Posted 27 October 2009 - 01:48 PM

Hello,

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Then please post back here with the following:
  • log.txt
  • info.txt
Thanks

unite.jpg


#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:04 AM

Posted 31 October 2009 - 08:11 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users