Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange 0-byte hidden driver (PCI_NTPNP5592)


  • Please log in to reply
1 reply to this topic

#1 kisk

kisk

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huntsville, AL
  • Local time:04:57 AM

Posted 09 January 2010 - 08:43 PM

Was checking out RootRepeal on my system today as I do computer tech work and hell a new tool is always nice smile.gif

One entry in the Drivers sections made me wonder:

CODE
Name: PCI_NTPNP5592
Image Path: \Driver\PCI_NTPNP5592
Address: 0x00000000    Size: 0    File Visible: No    Signed: -
Status: -


Googled a bit and didn't find much on it. Any ideas? Also couldn't find any info on:

CODE
Name: asih84ua.SYS
Image Path: C:\windows\System32\Drivers\asih84ua.SYS
Address: 0xB7AC8000    Size: 417792    File Visible: No    Signed: -
Status: -




Posting my RootRepeal & HJT log below:

CODE
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:        2010/01/09 19:06
Program Version:        Version 1.3.5.0
Windows Version:        Windows XP SP3
==================================================

Drivers
-------------------
Name: asih84ua.SYS
Image Path: C:\windows\System32\Drivers\asih84ua.SYS
Address: 0xB7AC8000    Size: 417792    File Visible: No    Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\windows\System32\Drivers\dump_atapi.sys
Address: 0xB5344000    Size: 98304    File Visible: No    Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\windows\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79EB000    Size: 8192    File Visible: No    Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A50000    Size: 1664    File Visible: No    Signed: -
Status: -

Name: PCI_NTPNP5592
Image Path: \Driver\PCI_NTPNP5592
Address: 0x00000000    Size: 0    File Visible: No    Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\windows\system32\drivers\rootrepeal.sys
Address: 0xB4768000    Size: 49152    File Visible: No    Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF798F000    Size: 5248    File Visible: No    Signed: -
Status: -

SSDT
-------------------
#: 025    Function Name: NtClose
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb53966b8

#: 031    Function Name: NtConnectPort
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb553d600

#: 037    Function Name: NtCreateFile
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5536d50

#: 041    Function Name: NtCreateKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb5396574

#: 046    Function Name: NtCreatePort
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb553de10

#: 047    Function Name: NtCreateProcess
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5554d00

#: 048    Function Name: NtCreateProcessEx
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5555120

#: 050    Function Name: NtCreateSection
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555f210

#: 056    Function Name: NtCreateWaitablePort
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb553df80

#: 062    Function Name: NtDeleteFile
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5537c30

#: 063    Function Name: NtDeleteKey
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555c750

#: 065    Function Name: NtDeleteValueKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb5396a52

#: 068    Function Name: NtDuplicateObject
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5553e40

#: 071    Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf74f2fb2

#: 073    Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf74f3340

#: 098    Function Name: NtLoadKey
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555d050

#: 099    Function Name: NtLoadKey2
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555d280

#: 108    Function Name: NtMapViewOfSection
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555f5c0

#: 116    Function Name: NtOpenFile
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5537720

#: 119    Function Name: NtOpenKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb539664e

#: 122    Function Name: NtOpenProcess
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5557420

#: 128    Function Name: NtOpenThread
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5556ff0

#: 160    Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf74f3418

#: 177    Function Name: NtQueryValueKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb539676e

#: 192    Function Name: NtRenameKey
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555e400

#: 193    Function Name: NtReplaceKey
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555da10

#: 200    Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb553d150

#: 204    Function Name: NtRestoreKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb539672e

#: 210    Function Name: NtSecureConnectPort
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb553d8e0

#: 224    Function Name: NtSetInformationFile
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5538050

#: 237    Function Name: NtSetSecurityObject
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb555e8b0

#: 247    Function Name: NtSetValueKey
Status: Hooked by "C:\windows\System32\Drivers\aswSP.SYS" at address 0xb53968ae

#: 255    Function Name: NtSystemDebugControl
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5555cf0

#: 257    Function Name: NtTerminateProcess
Status: Hooked by "C:\windows\System32\vsdatant.sys" at address 0xb5555a20

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System    Address: 0x8ad7e1e8    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_CREATE]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_CLOSE]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_POWER]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: SCSI, IRP_MJ_PNP]
Process: System    Address: 0x8ac7c768    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System    Address: 0x8a8811e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_CREATE]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_CLOSE]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_POWER]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: SI3114r, IRP_MJ_PNP]
Process: System    Address: 0x8ad801e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System    Address: 0x8ad101e8    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System    Address: 0x8a88b790    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System    Address: 0x8ad821e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_CREATE]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_CLOSE]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_POWER]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: Si3114r5, IRP_MJ_PNP]
Process: System    Address: 0x8ad0e1e8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System    Address: 0x8a47b1e8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System    Address: 0x8a47b1e8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a47b1e8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a47b1e8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System    Address: 0x8a47b1e8    Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System    Address: 0x8a47b1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_CREATE]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_CLOSE]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_POWER]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: iteraid, IRP_MJ_PNP]
Process: System    Address: 0x8ad0f1e8    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System    Address: 0x8a858790    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System    Address: 0x8a4411e8    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_CREATE]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_CLOSE]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_READ]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_QUERY_INFORMATION]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_SET_INFORMATION]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_DIRECTORY_CONTROL]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_DEVICE_CONTROL]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_SHUTDOWN]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_LOCK_CONTROL]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_CLEANUP]
Process: System    Address: 0x8a28a588    Size: 121

Object: Hidden Code [Driver: Cdfsࠅ఍灇敦ʈ, IRP_MJ_PNP]
Process: System    Address: 0x8a28a588    Size: 121

==EOF==





CODE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:06 PM, on 1/9/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\nvsvc32.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\windows\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\windows\System32\snmp.exe
C:\windows\system32\svchost.exe
C:\windows\system32\taskmgr.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\Explorer.EXE
C:\windows\system32\NOTEPAD.EXE
C:\_BamaComputerRepair\_BAMA\Tools\AntiRootkits\RootRepeal v1.3.5 beta\RootRepeal.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\notepad.exe
C:\Program Files\NewsBin\nbpro.exe
C:\_BamaComputerRepair\_BAMA\Tools\HijackThis v2.0.2\HijackThis.exe
C:\Documents and Settings\kisk_\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\kisk_\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\windows\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262814693843
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1258758762859
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - c:\Program Files\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rqRLecdc - rqRLecdc.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: QBCFMonitorService - Intuit - c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: QuickBooksDB20 - Intuit, Inc. - c:\PROGRA~1\Intuit\QUICKB~1\QBDBMgrN.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: XMAILOKEY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\kisk_\LOCALS~1\Temp\XMAILOKEY.exe
O23 - Service: ZBSLGAI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\kisk_\LOCALS~1\Temp\ZBSLGAI.exe

--
End of file - 7921 bytes



Thanks!

Edited by kisk, 09 January 2010 - 08:46 PM.

Posted Image

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:57 AM

Posted 15 January 2010 - 06:51 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  1. Please download OTL from following mirror:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users