Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with Troj/Mbroot-H found by Webroot


  • Please log in to reply
10 replies to this topic

#1 ChillerKyle

ChillerKyle

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 23 March 2010 - 08:52 AM

Hello! This computer at my work has been bugging my coworker for weeks now. He has Webroot Spysweeper that continually finds Troj/Mbroot-H. It removes the virus but it keeps reappearing. I was attempting to follow the forum here - http://www.bleepingcomputer.com/forums/t/301112/infected-with-trojmbroot-h/ - but was unsuccessful. Mozilla Firefox works intermittently but always freezes the computer. Even the screensaver will sometimes freeze the computer. Internet Explorer is excruciatingly difficult to use as it is very sluggish and can freeze. Does anyone know of any programs to truely get rid of this virus without having to Format the Hard Drive?

Edited by elise025, 23 March 2010 - 09:02 AM.
I am moving this from the XP forum to the Am I Infected forum ~ Elise


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 23 March 2010 - 03:16 PM

Let's look for it.
Please download mbr.exe and save it to the root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.
If you have a problem using the command prompt, you can just double-click on mbr.exe to run the tool.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 24 March 2010 - 07:17 AM

Thank you very much for your help!
Here is what I got.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 24 March 2010 - 10:10 AM

Ok, we have a baddie.
To remove the infection, run the command mbr.exe -f (note the space between the e and -f) from a command prompt.

Open Windows Explorer and rename the C:\mbr.log to C:\mbr.old
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: cd \
press Enter.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

It will produce a new report at C:\mbr.log. Please copy/paste the results in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 24 March 2010 - 10:39 AM

Here are the results

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 24 March 2010 - 12:15 PM

Hi, need to double check the results and is this XP or Vista ??


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 24 March 2010 - 12:53 PM

When I opened the program - RootRepeal Error Error - invalid PE image found! - appeared I hope this did not effect it in any way.

Here are the results, and again thank you very much for your time! I have become a fan on facebook and will indefinately inform everyone I know of this marvelous site!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/03/24 13:42
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA6C6A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5EE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\New\LOCALS~1\Temp\mbr.sys
Address: 0xBA3F0000 Size: 20864 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA70AB000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xB9E41000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\spool\PRINTERS\FP00001.SHD
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\spool\PRINTERS\FP00001.SPL
Status: Invisible to the Windows API!

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\293qz60q\202_ebay_q110_rubik_ebaycontrol_728x90[1].htm
Status: Allocation size mismatch (API: 12288, Raw: 16384)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\3naoqxbr\showfolder[1].htm
Status: Allocation size mismatch (API: 110592, Raw: 131072)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\3naoqxbr\profilestatic[1].js
Status: Allocation size mismatch (API: 102400, Raw: 131072)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\4H0IYUHG\ads[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\4H0IYUHG\ajs[1].php
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\4H0IYUHG\b[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\4H0IYUHG\ConsoleTabsFrame[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\4H0IYUHG\index[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\4H0IYUHG\PunyMCE[1].htm
Status: Visible to the Windows API, but not on disk.

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\581wdz5a\mocmail[1].htm
Status: Size mismatch (API: 45362, Raw: 5435)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\581WDZ5A\b[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\581WDZ5A\CM_gamevance_extremeracing_redcar_NC_728x90_1002_swf[1].swf
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\581WDZ5A\mim_ajax[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_d5f1dd1b407e4ccd805ba9191987e392[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\0018203_IQ_728x90_15s_SmartAreYou_Apr09[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\01126-1LNSQuickLoadBarfeed[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\0e6b83f20cf825761a5337b5724b4368_final[1].jpg
Status: Invisible to the Windows API!

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\10[1].htm
Status: Size mismatch (API: 465, Raw: 570)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\110px-Land_ocean_ice_cloud_hires[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\1185707480_s[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\1268155982[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\1268155982[2].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\1268155982[3].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ajs[1].php
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\AJTCA5MV1W5CA4KKLUYCA2PVTK8CAQ1U323CARKM63DCA8X9XH3CANUJMCPCADEUJE0CA78JG3DCALN3I6ZCA0KIFF1CAB7VQPJCAXZ0M8QCA240L1ICAUOCGGGCA9638TOCADXQ5J3CA5GVGO0CA6KUKRNCALYL0E8
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\AMECV9FCAV97Y6GCA47WZ54CAA29GF6CAL48YETCASZ95YVCAIAIJ9RCABSFZ14CAKKYMDJCASLKGA4CA78Z4MGCAX4KZF1CADK42N4CACTMZR8CAAVIU0QCAYTW6TDCA7MX5M3CAKYTY4LCA7I27HSCACPYPYR.jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\die_creepy_300x250[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ds
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\electric[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\errorPageStrings[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\external[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\favicon[1].ico
Status: Invisible to the Windows API!

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\favicon[2].ico
Status: Size mismatch (API: 318, Raw: 1150)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\FCWCAXSJBPXCAXKCGWXCADZD7CLCAN10SRFCAZ6A3UQCA4JN4D4CA23CZ3NCAX6WXB3CAMU87R5CARU5J3ECAQ5A0AJCA25OJHRCA2WDZT9CAGMHXOGCASY1VZQCAZP8NEPCAAKJ43ICAPIMVPSCA8M00ALCAGLWYFB
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\forest1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\AQVO1TSCAGLX23NCA4DWXW8CAHF3SORCAJGUZ8GCATBANNFCAMOD3RNCAAWHFRFCAL551XMCAOAYZIHCAO7H3WYCA0ZFN0YCAJ7EW0RCARXI3CPCAEMZQT1CARC2PMECAPLONT3CA6UHUE9CA0PDRARCAZMZ1UL.jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\autumn[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\a_25ad55018cfa46b6bfb6d35746c70731[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\a_7ac5ab521a374f56843b5b59d285940a[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\a_fb9b17011a354ecaa148ce9a36e51216[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\bCA55OWL4.gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\bCAC55F4M.gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\bCAVYY70U.gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\bCAW8ZPR9.gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\button_buy_now[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[10].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[11].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\I12CAH06ORXCA92D5XFCAWQTQ6ZCA3PYZZ2CAC5XXPNCASNR748CADA0CFTCAPRQN7TCAPEQLASCAKQP5HFCAF06GXACA8BP7F4CAZ3YODWCADPIFCCCAOBOUBGCAW3D6N4CA7VKCNFCAZHTTOPCASBH2QCCAAQ0LMX
Status: Invisible to the Windows API!

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images.jpg
Status: Size mismatch (API: 1860, Raw: 3731)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[10].jpg
Status: Size mismatch (API: 3120, Raw: 4566)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[11].jpg
Status: Size mismatch (API: 1889, Raw: 3826)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\images[1].htm
Status: Invisible to the Windows API!

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[1].jpg
Status: Size mismatch (API: 2664, Raw: 2905)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\images[2].htm
Status: Invisible to the Windows API!

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[2].jpg
Status: Size mismatch (API: 2394, Raw: 3792)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[3].jpg
Status: Size mismatch (API: 4285, Raw: 4235)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[4].jpg
Status: Size mismatch (API: 3405, Raw: 4088)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[5].jpg
Status: Size mismatch (API: 3105, Raw: 4195)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[6].jpg
Status: Size mismatch (API: 3626, Raw: 3924)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[7].jpg
Status: Size mismatch (API: 3343, Raw: 4685)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[8].jpg
Status: Size mismatch (API: 3267, Raw: 3600)

Path: c:\documents and settings\new\local settings\temporary internet files\content.ie5\f6fk72iq\images[9].jpg
Status: Size mismatch (API: 3216, Raw: 3975)

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\q1819689347_7242[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\rdb[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\rdie[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\rd[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\relay[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\RootRepeal[1].exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\safemail[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\search[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\slf[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\SouthBend_Engine_Lathe[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\spi[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\spt[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_057f7451d0e74fd5a37a71db5e814eef[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_059705e73416458b8f577ec74208b136[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\1268155982[4].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\1303754258834040_1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\6002540992381_1_48505ddf[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[6]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[2].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\mim_ajax[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_17106cb6ba3149248d1b8b8248bb1805[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_7a993acf54224aab92675a3b3c0269b6[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_b6022b0c59494e82ba8d7f3156316dfe[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_b7ac403845b14477a96f96f6d01a817e[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_b916307ba3254b53b283c949766984d7[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_c0094ba8154c45fe828758215d275b1c[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_c093a138c88246709b59736acb86e8d4[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_c2655203a2c848c3a5ed725023f29c5e[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_c667dd3c27a143d19c7ada6af777ddff[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_c8c1db03307a40ea8b8f4848b4341a20[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_c8fe7469da754775ba3efea12ec17227[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_cb1152022990496b8ea42fc573453f6c[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[10]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[11]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[1]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[2]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[3]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[4]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\ads[5]
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=88[4].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=88[5].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=88[6].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=88[7].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[3].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[4].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[5].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[6].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=89[7].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[3].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[4].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[5].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[6].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=90[7].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=93[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=93[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=96[1].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\p_100000365252628=96[2].txt
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\imgres[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\index[1].cfm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\index[1].css
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\index[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\index[2].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\IQ_LeBron_300x250[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\jango_player_white_orangebutton_greycorners_326x38[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\jt[1].htm
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\KGFCACH642ZCAUWYZH4CAU9KRYLCA26E53XCAXJFAIZCAVSIW65CA8Y9B5KCAZNCNX1CAOV4X0BCAJ04AKVCAYOYJLWCAZS2RXMCAFFFSCJCAHURU8RCA4J08OICA2JOGQHCAZK2PV3CAH1Y5FYCAU70T6JCAIDCODQ
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\LC_728x90_oct5_FVE[1].swf
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\logo1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\meter[1].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\286997SB-1DaewooLynx200BCNCLathe[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\286997SB-2DaewooLynx200BCNCLathe[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\286997SB-3DaewooLynx200BCNCLathe[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\3004087268854040_1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\3RKCA9OZSOZCA37JMQYCAVNEONPCAKRS82TCAI3AQV7CAR0R21RCAU2HP51CAGP65LXCA5L34DDCACB3692CAUO2AYCCAR2GVF6CA2AKRQCCA8LGZJCCALFN6XACAUAFX6QCA7LXY1MCABQIM13CA9AF6ZHCAJWB716
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\4e3d477f0e307f692beb19933c036ec4_final[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\6002483729881_1_a8c4ad65[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[3].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[4].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[5].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[6].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[7].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[8].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\b[9].gif
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_3838929749e642dd87a0fbb906996201[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_3991fc5f338943c0abbfca7f3f84ecb8[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_564cd4f2017f4d7aacf8564579657458[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_5e9b02b628964ed5953cd39751bd0d95[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_717137ca5b254268842c7d95371f8b88[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_74245fe5b376475dae04161ff6778ea5[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\m_78259981269b45f9a2a01041a33c3e42[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_57b640c254f94d10af4ebef750f33cc6[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_59ce334c54550487cada615f2d281b65[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_61b76912f5f544f8a4737a50e511ebac[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_649e9dfab04742c9ba82d533b462cc0a[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_6b87cd870b174c15b5e1f552c6b9a2f2[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_6d3492631825421a8849f3064b8db039[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_6dbd1bc529fd2463268ccb2d47d93256[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_70201f98b7624d6fbbcfe069e4135ce1[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_712d4479c4164cc5a2738ce080921cfa[1].jpg
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72IQ\s_72d46e2f8a6c465cb3d3d4e8e7abc484[1].png
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\New\Local Settings\Temporary Internet Files\Content.IE5\F6FK72ISSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8a3b8538

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a3b8570

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89a894a8

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89b94500

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x89cb5878

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa6f46130

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x89b66168

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8a677cb0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8a677c38

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x8a5140a8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8a38bb78

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89f29340

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa6f463b0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa6f46910

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89a8b4d0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89b35de8

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8a3a5ef8

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8a3a5fd0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8a3760d0

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a38b7e8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8a3a2cb0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89a8e490

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x89f3aba8

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x89bf20b0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89aa4b00

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a3441a8

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x8a692fa8

#: 186 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a692e40

#: 192 Function Name: NtRenameKey
Status: Hooked by "<unknown>" at address 0x8a6551b0

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8a37b598

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8a3a9880

#: 226 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8a677e18

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x89b27230

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8a677968

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x89f48208

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xa6f46b60

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8a3a2bd8

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a3b3a78

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89f241f0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8a3b5990

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8a3cc198

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8a394f80

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System Address: 0x89f29d10 Size: 643

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x89f1ec20 Size: 523

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System Address: 0x89f3dc20 Size: 768

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System Address: 0x89f5b5d0 Size: 2609

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System Address: 0x89f598a8 Size: 1881

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x89f2b8a8 Size: 380

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x89f4d7b0 Size: 2129

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System Address: 0x89f2b438 Size: 1516

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System Address: 0x89f2aeb0 Size: 100

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x89f2ab38 Size: 379

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x89f4c9a0 Size: 272

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x89f4c928 Size: 392

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x89f4c8b0 Size: 512

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x89f4c530 Size: 1408

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x89f4c4b8 Size: 1528

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x89f4c440 Size: 1648

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System Address: 0x89f4b830 Size: 2001

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x89f4b7b8 Size: 2121

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System Address: 0x89f4b740 Size: 2241

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x89f49fa8 Size: 88

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x89f49f30 Size: 208

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System Address: 0x89f49eb8 Size: 328

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System Address: 0x89f49b38 Size: 488

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x89f49ac0 Size: 608

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x89f49a48 Size: 728

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x89f48d18 Size: 745

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System Address: 0x89f48ca0 Size: 865

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System Address: 0x89f48c28 Size: 985

Shadow SSDT
-------------------
#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x8a36e998

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x8a3a0320

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x8a363520

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x89f679c8

#: 428 Function Name: NtUserGetRawInputData
Status: Hooked by "<unknown>" at address 0x89bef278

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x8a5694a0

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x89f3ee88

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x8a56c6d8

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x89bc1b38

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x89f55c38

==EOF==

#8 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 24 March 2010 - 12:55 PM

I just noticed RootRepeal states, " RootRepeal Error (Error - on-disk corruption detected run chkdsk) "

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 24 March 2010 - 01:50 PM

Hello, this lloks like an rotkit that will make your system unstable. I woulld prefer we get DDS and Gmer log. Post these in Malware Removal..so we can safely get it out.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic from step 9.
If Gmer won't run,skip it and move on.
Add this link from our topic here to that post

http://www.bleepingcomputer.com/forums/ind...p;#entry1686208

Let me know if that went well.

Edited by boopme, 24 March 2010 - 01:51 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ChillerKyle

ChillerKyle
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:19 AM

Posted 26 March 2010 - 12:01 PM

I appologize for the untimely response. It appears as though the other post has been closed. I have tried the GMER several times and it continually freezes the computer. I will continue to try. For now here are the results of DDS.

DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by New at 8:06:44.93 on Fri 03/26/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3316.2744 [GMT -4:00]

AV: Webroot AntiVirus with Spy Sweeper *On-access scanning enabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

============== Running Processes ===============

C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\PHOTOfunSTUDIO\PhAutoRun.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Defogger.exe
C:\Documents and Settings\New\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [RTHDCPL] "RTHDCPL.EXE"
mRun: [IgfxTray] "c:\windows\system32\igfxtray.exe"
mRun: [Persistence] "c:\windows\system32\igfxpers.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
mRun: [KernelFaultCheck] "%systemroot%\system32\dumprep" 0 -k
mRun: [HotKeysCmds] "c:\windows\system32\hkcmd.exe"
mRun: [ArcSoft Connection Service] "c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe"
mRun: [Alcmtr] "ALCMTR.EXE"
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - c:\program files\panasonic\photofunstudio\PhAutoRun.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1241453776656
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1241453830468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\new\applic~1\mozilla\firefox\profiles\cxb77nce.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-21 29808]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-1-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-1-28 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-1-28 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100210.001\IDSXpx86.sys [2010-2-15 329592]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-1-28 117640]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2009-6-11 1201640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 NmPar;PCI Parallel Port;c:\windows\system32\drivers\NmPar.sys [2008-12-24 80256]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.005\NAVENG.SYS [2010-2-17 84912]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.005\NAVEX15.SYS [2010-2-17 1324720]

=============== Created Last 30 ================

2010-03-26 11:43:45 0 ----a-w- c:\documents and settings\new\defogger_reenable
2010-03-26 11:43:33 50477 ----a-w- C:\Defogger.exe
2010-03-24 17:38:20 472064 ----a-w- C:\RootRepeal.exe
2010-03-24 12:15:07 77312 ----a-w- C:\mbr.exe
2010-03-19 12:09:33 0 d-----w- c:\docume~1\new\applic~1\Malwarebytes
2010-03-19 12:09:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-19 12:09:26 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-03-19 12:09:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 12:09:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-09 17:59:06 0 d-----w- c:\windows\pss
2010-03-08 15:14:42 0 d-----w- c:\docume~1\alluse~1\applic~1\ArcSoft
2010-03-05 13:00:48 26 ----a-w- C:\UpdaterforApp.ini
2010-03-05 12:46:18 245408 ----a-w- c:\windows\system32\unicows.dll
2010-03-05 12:46:18 11776 ----a-w- c:\windows\system32\drivers\afc.sys
2010-03-05 12:46:11 126976 ----a-w- c:\windows\system32\MediaImpression Slideshow.scr
2010-03-05 12:45:44 0 d-----w- c:\windows\system32\MediaImpression Slideshow
2010-03-05 12:41:33 33408 ----a-w- c:\windows\system32\drivers\cdrbsdrv.sys
2010-03-05 12:41:30 59488 ----a-w- c:\windows\system32\GenSvcInst.exe
2010-03-05 12:41:30 145504 ----a-w- c:\windows\system32\bgsvcgen.exe
2010-03-05 12:40:53 45056 ----a-w- c:\windows\system32\PhDi2.sys
2010-03-05 12:07:49 4653 ----a-w- c:\windows\system32\EPPICPattern4.jor
2010-02-24 15:01:27 0 d-----w- c:\program files\Entropia Universe

==================== Find3M ====================

2010-01-14 18:26:13 83160 ----a-w- c:\windows\fonts\DAYROM__.ttf
2010-01-14 18:26:13 30088 ----a-w- c:\windows\fonts\DAYROM_X.ttf
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll

============= FINISH: 8:07:03.62 ===============

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:19 AM

Posted 31 March 2010 - 01:33 PM

Ahh I see the problem... This log needs to be posted in the Malware Removal forum from step 9 above..

Please repostit here..Virus, Trojan, Spyware, and Malware Removal Logs
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

By creating a new topic...
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users