Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware has disabled my anti-malware tools


  • This topic is locked This topic is locked
4 replies to this topic

#1 hjorti

hjorti

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 29 November 2009 - 10:35 AM

I noticed yesterday that my Norton Internet Security 2009 had stopped working. I tried a reinstall, which was unsuccessful. I then tried spybot and ad-aware. They didn't load either.

So it seems that I have an infection. When I type in "hijackthis" into google, or try an online virus check, the browser closes. When I try to open the logs and removal subboard on this site the browser closes. I noticed I had a copy of hijackthis; when I try to open this folder windows explorer closes.

I tried to restart in safe mode with networking and got blue screen:

"A problem has been detected and windows has been shut down to prevent damage to your computer.
If this is the first time etc.....
Check for viruses etc....
Technical information
***STOP: 0x0000007B (0xF789E524, 0xC0000034, 0x00000000, 0x00000000)

I have backed up data and disconnected my computer from the internet, and am writing this from another computer.

I ran dds as suggested. Below is the dds.txt wording. I have attached the attach.zip file.

Rootrepeal froze in the middle of the scan, while scanning c:picstemp, which is my default place to save files downloaded from the internet. So I cannot give you a rootrepeal report at this time.


DDS (Ver_09-11-29.01) - NTFSx86
Run by S›ren Hjorth at 15:48:34,53 on 29-11-2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1033.18.1022.688 [GMT 1:00]


============== Running Processes ===============

C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesSeagateBasicsServiceSyncServicesBasics.exe
C:WINDOWSeHomeehRecvr.exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32HPZipm12.exe
svchost.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32dllhost.exe
C:WINDOWSstsystra.exe
C:Program FilesDAEMON Toolsdaemon.exe
C:Program FilesBrownieBrstsWnd.exe
C:Program FilesSeagateBasicsBasics StatusMaxMenuMgrBasics.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesLogitechSetPointSetPoint.exe
C:Program FilesBrowniebrpjp04a.exe
C:Program FilesCommon FilesLogishrdKHAL2KHALMNPR.EXE
C:WINDOWSsystem32svchost.exe -k imgsvc
C:Documents and SettingsSøren HjorthDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.dk/ig/dell?hl=da&client=dell-row&channel=dk&ibd=0061215
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:program filesyahoo!companioninstallscpnyt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.3.4501.1418swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:program filesjavajre6binjp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:program filesyahoo!companioninstallscpnyt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
mRun: [PC Pitstop Optimize2 Reminder] c:program filespcpitstopoptimize2Reminder.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:windowssystem32NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:windowssystem32NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [DSS] c:windowsbbstoredssDSSAGENT.EXE
mRun: [DAEMON Tools] "c:program filesdaemon toolsdaemon.exe" -lang 1033
mRun: [BrStsWnd] c:program filesbrownieBrstsWnd.exe Autorun
mRun: [basicsmssmenu] "c:program filesseagatebasicsbasics statusMaxMenuMgrBasics.exe"
dRun: [CTFMON.EXE] c:windowssystem32CTFMON.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartuplogite~1.lnk - c:program fileslogitechsetpointSetPoint.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: + Offline &Explorer: Download the link - file://c:program filesoffline explorer enterpriseAdd_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:program filesoffline explorer enterpriseAdd_AllO.htm
IE: E&xport to Microsoft Excel - c:progra~1micros~3office10EXCEL.EXE/3000
IE: Open current page with BID Link E&xplorer - file://c:program filesbulk image downloaderiemenuiebidlinkexplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
Trusted Zone: secured.in
DPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxps://netsupport2.tdconline.dk/sdccommon/download/tgctlar.cab
DPF: {01111E00-3E00-11D2-8470-0060089874ED} - hxxps://netsupport2.tdconline.dk/sdccommon/download/tgctlsi.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553535000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:program filescommon filesmicrosoft sharedweb foldersPKMCDO.DLL
Notify: !SASWinLogon - c:program filessuperantispywareSASWINLO.dll
Notify: LBTWlgn - c:program filescommon fileslogishrdbluetoothLBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:program filessuperantispywareSASSEH.DLL
Hosts: 255.255.255.255 broadcasthost
Hosts: 66.35.250.150 s # slashdot.org
Hosts: 216.239.39.99 g # google.com

================= FIREFOX ===================

FF - ProfilePath - c:docume~1srenhj~1applic~1mozillafirefoxprofilesyqfqaxzb.default
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://us.f341.mail.yahoo.com/ym/login?.rand=fbu4g2a2l62pt
FF - component: c:documents and settingssøren hjorthapplication datamozillafirefoxprofilesyqfqaxzb.defaultextensions{3112ca9c-de6d-4884-a869-9855de68056c}componentsfrozen.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:program filesmozilla firefoxextensions{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2009-11-7 64288]
R1 sK9Ou0s;sK9Ou0s;c:windowssystem32srosa2.sys [2009-11-13 7168]
R1 vcdrom;Virtual CD-ROM Device Driver;c:windowssystem32driversVCdRom.sys [2007-7-12 8576]
R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;c:windowssystem32drivershnm_wrls_pkt.sys [2006-7-14 13824]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 wsppkt;Wireless Security Protocol;c:windowssystem32driverswsp_pkt.sys [2006-7-14 13696]
S2 Automatisk LiveUpdate-planlægning;Automatisk LiveUpdate-planlægning;"c:program filessymantecliveupdatealuschedulersvc.exe" --> c:program filessymantecliveupdateALUSchedulerSvc.exe [?]
S3 BEHRINGER_2902;usb-audio.de driver for BEHRINGER USB AUDIO;c:windowssystem32driversBUSB2902.sys [2008-6-18 110272]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:magixcommondatabasebinfbserver.exe [2009-1-28 1527900]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2009-9-24 1184912]

=============== Created Last 30 ================

2009-11-29 11:28:12 71276 ----a-w- c:windowssystemwphv05na.ttf
2009-11-29 03:42:11 96256 ----a-w- c:windowssystem32dllcacheac97intc.sys
2009-11-29 03:42:10 231552 ----a-w- c:windowssystem32dllcacheac97ali.sys
2009-11-29 03:42:07 462848 ----a-w- c:windowssystem32dllcachea3dapi.dll
2009-11-29 03:42:03 98304 ----a-w- c:windowssystem32dllcachea3d.dll
2009-11-29 03:41:59 48128 ----a-w- c:windowssystem32dllcache61883.sys
2009-11-29 03:41:59 38400 ----a-w- c:windowssystem32dllcache8514a.dll
2009-11-29 03:41:58 12288 ----a-w- c:windowssystem32dllcache4mmdat.sys
2009-11-29 03:41:55 148352 ----a-w- c:windowssystem32dllcache3dfxvsm.sys
2009-11-29 03:41:51 689216 ----a-w- c:windowssystem32dllcache3dfxvs.dll
2009-11-29 03:41:48 762780 ----a-w- c:windowssystem32dllcache3cwmcru.sys
2009-11-29 03:41:44 53376 ----a-w- c:windowssystem32dllcache1394bus.sys
2009-11-29 03:41:44 11264 ----a-w- c:windowssystem32dllcache1394vdbg.sys
2009-11-29 03:41:09 7168 ----a-w- c:windowssystem32dllcachewamregps.dll
2009-11-29 03:41:01 66048 ----a-w- c:windowssystem32dllcaches3legacy.dll
2009-11-29 03:40:51 7680 ----a-w- c:windowssystem32dllcacheinetmgr.exe
2009-11-29 03:40:51 19968 ----a-w- c:windowssystem32dllcacheinetsloc.dll
2009-11-29 03:40:50 5632 ----a-w- c:windowssystem32dllcacheiisrstap.dll
2009-11-29 03:40:50 169984 ----a-w- c:windowssystem32dllcacheiisui.dll
2009-11-29 03:40:50 14336 ----a-w- c:windowssystem32dllcacheiisreset.exe
2009-11-29 03:40:49 6144 ----a-w- c:windowssystem32dllcacheftpsapi2.dll
2009-11-29 03:40:44 94720 ----a-w- c:windowssystem32dllcachecertmap.ocx
2009-11-29 03:31:00 0 d-----w- c:program filesSUPERAntiSpyware
2009-11-29 03:31:00 0 d-----w- c:docume~1srenhj~1applic~1SUPERAntiSpyware.com
2009-11-29 03:30:33 0 d-----w- c:program filescommon filesWise Installation Wizard
2009-11-29 02:30:46 0 d-----w- c:program filescommon filesSymantec Shared
2009-11-29 02:27:31 0 d-----w- c:program filesNortonInstaller
2009-11-29 02:27:31 0 d-----w- c:docume~1alluse~1applic~1NortonInstaller
2009-11-29 02:24:05 0 d-----w- c:docume~1alluse~1applic~1Norton
2009-11-29 01:02:10 88449496 ----a-w- c:tempNIS10UPEN.exe
2009-11-28 23:12:06 72708 ------w- c:windowssystem32wintems.exe
2009-11-28 23:11:58 0 d--h--w- c:docume~1srenhj~1applic~1m
2009-11-21 14:48:11 0 d-----w- c:program filescommon filesVoyetra
2009-11-21 13:51:29 310 ----a-w- c:windowsARCADE.INI
2009-11-21 13:51:28 839 ----a-w- c:windowsjamkeys.ini
2009-11-21 13:51:28 297 ----a-w- c:windowsrecorsta.ini
2009-11-21 13:51:28 24 ----a-w- c:windowsjam.ini
2009-11-21 13:51:28 1201 ----a-w- c:windowsteachpno.ini
2009-11-21 13:51:07 0 d-----w- c:program filesVoyetra
2009-11-13 01:40:08 7168 ----a-w- c:windowssystem32srosa2.sys
2009-11-12 20:09:57 0 d--h--w- c:docume~1srenhj~1applic~1drivers
2009-11-10 02:13:35 0 d-----w- c:documents and settingssøren hjorthStorm Shared Folder
2009-11-07 19:29:58 15880 ----a-w- c:windowssystem32lsdelete.exe
2009-11-07 19:20:04 64288 ----a-w- c:windowssystem32driversLbd.sys
2009-11-07 19:19:55 93360 ----a-w- c:windowssystem32driversSBREDrv.sys
2009-11-07 19:17:47 0 dc-h--w- c:docume~1alluse~1applic~1{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-07 17:18:10 0 dc-h--w- c:docume~1alluse~1applic~1{A6CBE6A2-B738-440D-B19A-60D7C36810C7}

==================== Find3M ====================

2009-11-29 13:26:39 15204352 ---ha-w- c:documents and settingssøren hjorthNTUSER.DAT
2009-10-22 09:19:04 5939712 ------w- c:windowssystem32dllcachemshtml.dll
2009-10-19 21:34:10 1177600 ----a-w- c:windowssystem32SYNSOEMU.DLL
2009-10-01 03:03:46 0 ----a-w- c:documents and settingssøren hjorthtemp.dat
2009-09-11 14:18:39 136192 ----a-w- c:windowssystem32msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:windowssystem32dllcachemsv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:windowssystem32msasn1.dll
2009-09-04 21:03:36 58880 ------w- c:windowssystem32dllcachemsasn1.dll
2009-01-10 02:39:54 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012009011020090111index.dat

============= FINISH: 15:49:15,92 ===============

Update.

I tried to run rootrepeal again, this time successfully. Here is the report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/30 11:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 00000046
Image Path: Driver00000046
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: an62080l.SYS
Image Path: C:WINDOWSSystem32Driversan62080l.SYS
Address: 0xF6624000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xF3BB5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF79FF000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xB98C5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:hiberfil.sys
Status: Locked to the Windows API!

Path: C:dmproAutoRun.inf
Status: Invisible to the Windows API!

Path: c:i386ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2019328)

Path: C:WINDOWSwintems.exe
Status: Invisible to the Windows API!

Path: C:WINDOWSmdelk.exe
Status: Invisible to the Windows API!

Path: C:Program FilesMicrosoft Application Compatibility Toolkit 5Shared
Status: Invisible to the Windows API!

Path: C:Program FilesMovie MakerShared
Status: Invisible to the Windows API!

Path: C:Program FilesdmproAutoRun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesWindows XP MUI PackAUTORUN.INF
Status: Invisible to the Windows API!

Path: C:Spiljfautorun.inf
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32wfsintwq.sys
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32mdelk.exe
Status: Invisible to the Windows API!

Path: c:windowssystem32ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2027520)

Path: C:WINDOWS$NtUninstallKB971486$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$NtUninstallKB956841$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWSimeshared
Status: Invisible to the Windows API!

Path: C:WINDOWS$NtUninstallKB929338$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$NtUninstallKB931784$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$NtUninstallKB956572$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$NtServicePackUninstall$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$NtUninstallKB956841_0$ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:Program FilesMicrosoft Application Compatibility Toolkit 5Internet Explorer Compatibility Test ToolShared
Status: Invisible to the Windows API!

Path: C:SpilGTR2GameDataShared
Status: Invisible to the Windows API!

Path: C:WINDOWSsystem32dllcachentkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWSServicePackFilesi386ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWSDriver Cachei386ntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:Documents and SettingsSøren HjorthApplication Datadriversdownld
Status: Invisible to the Windows API!

Path: C:Documents and SettingsSøren HjorthApplication Datadriverswinupgro.exe
Status: Invisible to the Windows API!

Path: C:Documents and SettingsSøren HjorthApplication Datamflec006.exe
Status: Invisible to the Windows API!

Path: C:Documents and SettingsSøren HjorthApplication Datamshared
Status: Invisible to the Windows API!

Path: C:MusikGuitarVidLarry_Carlton_Masterclassautorun.inf
Status: Invisible to the Windows API!

Path: C:MusikGuitarVidTeach Me Blues Guitar with Keith WyattAUTORUN.INF
Status: Invisible to the Windows API!

Path: C:Musiksoundpool_DVD[Samples] ACID Loops - Psychedelic GuitarProduct_InfoAutorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesHPDigital Imaging{BDBE2F3E-42DB-4d4a-8CB1-19BA765DBC6C}autorun.inf
Status: Invisible to the Windows API!

Path: C:SpilGTR2GameDataLocationsshared
Status: Invisible to the Windows API!

Path: C:WINDOWS$hf_mig$KB890859SP2QFEntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$hf_mig$KB956572SP3QFEntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$hf_mig$KB956841SP3GDRntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$hf_mig$KB956841SP3QFEntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:WINDOWS$hf_mig$KB971486SP3QFEntkrnlpa.exe
Status: Locked to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesfreeagentdesktopautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesfreeagentproautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesmaxtor_desktopautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesmaxtor_portableautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesonetouch iiautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesonetouch iiiautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesonetouch iii miniautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesonetouch ivautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesonetouch iv liteautorun.inf
Status: Invisible to the Windows API!

Path: C:Program FilesSeagateBasicsiconfilesonetouch iv miniautorun.inf
Status: Invisible to the Windows API!

Path: c:documents and settingssøren hjorthapplication datamozillafirefoxprofilesyqfqaxzb.defaultsessionstore.js
Status: Size mismatch (API: 24460, Raw: 24337)

Processes
-------------------
Path: C:Documents and SettingsSøren HjorthApplication Datadriverswinupgro.exe
PID: 1756 Status: Hidden from the Windows API!

Path: C:WINDOWSwintems.exe
PID: 4260 Status: Hidden from the Windows API!

Path: C:Documents and SettingsSøren HjorthApplication Datamflec006.exe
PID: 4672 Status: Hidden from the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf74d787e

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf72b584c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf72b5bec

#: 119 Function Name: NtOpenKey
Status: Hooked by "sptd.sys" at address 0xf72b0090

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf72b5cc4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "sptd.sys" at address 0xf72b5b44

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf74d7bfe

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x86da01d8 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x86418980 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_CREATE]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_CLOSE]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_POWER]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: an62080lЅ瑎獆竈엠Ђః瑎て, IRP_MJ_PNP]
Process: System Address: 0x86b064e8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86af01d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x86b96680 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x86b661d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x86da21d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x86d351d8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x86b6f980 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x86b6f980 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b6f980 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b6f980 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x86b6f980 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x86b6f980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x86b0e980 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_CREATE]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_CLOSE]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_READ]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_SHUTDOWN]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_CLEANUP]
Process: System Address: 0x869131d8 Size: 463

Object: Hidden Code [Driver: Cdfs؅ఈ䵃慖, IRP_MJ_PNP]
Process: System Address: 0x869131d8 Size: 463

Hidden Services
-------------------
Service Name: srosa
Image Path: system32DRIVERSsr.sys

==EOF==

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 01 December 2009 - 11:13 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:46 AM

Posted 11 December 2009 - 02:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 hjorti

hjorti
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 13 December 2009 - 01:28 PM

Thank you for responding.

I have bought a new computer, something I had considered for a while.

So your help is not immediately needed. It would of course be nice to have a healthy computer as backup to my new one, and there are still useful files on the old one, so I may return at some point.

Thanks again.

#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:46 AM

Posted 14 December 2009 - 01:29 PM

Hello, hjorti and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards.






Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:06:46 AM

Posted 19 December 2009 - 05:07 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users