Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91819 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Sounds like ads on my computer


  • This topic is locked This topic is locked
4 replies to this topic

#1 oooicu812o

oooicu812o

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 19 October 2009 - 06:44 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:19 PM, on 10/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\Kevin.DESKTOP\reader_s.exe
C:\WINDOWS\System32\alg.exe
c:\flttpxu.exe
C:\Windows\System32\Notepad.exe
C:\DOCUME~1\KEVIN~1.DES\LOCALS~1\Temp\ctv269.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin.DESKTOP\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\zo06nx7.dll - {a249bc15-23f2-42ad-f4e4-00aac39c0004} - C:\WINDOWS\system32\zo06nx7.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\adobe\acrotray.exe
O4 - HKCU\..\Run: [Tji771] C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\fddg.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Kevin.DESKTOP\reader_s.exe
O4 - HKCU\..\Run: [12CFG214-K641-12SF-N85P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
O4 - HKCU\..\Run: [12CFG214-K641-24SF-N84P] C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
O4 - HKUS\.DEFAULT\..\Run: [Login Software 2009] C:\WINDOWS\TEMP\ffmr1j.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\WINDOWS\TEMP\notepad.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {298BFFEE-662D-11D5-ADAF-00E0810232D7} (lgbplay Class) - https://simulcast.ma...b/LiveSound.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1237503264140
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O22 - SharedTaskScheduler: iukjsf8w3jirojs9f8u3jruhsf78s3jijdif - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\zo06nx7.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FCI (fci) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: ICF (icf) - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSDV Driver (msdvdr) - Unknown owner - C:\WINDOWS\system32\msdvdr.pif
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Transbase - Transaction Software, D 81737 Munich - C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 4922 bytes


StartupList report, 10/19/2009, 7:42:19 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Kevin.DESKTOP\Desktop\hijackthis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP3 (6.00.2900.5512)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\BMWgroup\ETKLokal\transbase\tbmux32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\Kevin.DESKTOP\reader_s.exe
C:\WINDOWS\System32\alg.exe
c:\flttpxu.exe
C:\Windows\System32\Notepad.exe
C:\DOCUME~1\KEVIN~1.DES\LOCALS~1\Temp\ctv269.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin.DESKTOP\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
reader_s = C:\WINDOWS\System32\reader_s.exe
Adobe_Reader = c:\program files\adobe\acrotray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Tji771 = C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\fddg.exe
reader_s = C:\Documents and Settings\Kevin.DESKTOP\reader_s.exe
12CFG214-K641-12SF-N85P = C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
12CFG214-K641-24SF-N84P = C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\WINDOWS\system32\zo06nx7.dll - {a249bc15-23f2-42ad-f4e4-00aac39c0004}

--------------------------------------------------

Enumerating Task Scheduler jobs:

At1.job
At10.job
At11.job
At12.job
At13.job
At14.job
At15.job
At16.job
At17.job
At18.job
At19.job
At2.job
At20.job
At21.job
At22.job
At23.job
At24.job
At3.job
At4.job
At5.job
At6.job
At7.job
At8.job
At9.job
GoogleUpdateTaskMachineCore.job
GoogleUpdateTaskMachineUA.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[lgbplay Class]
InProcServer32 = C:\WINDOWS\DOWNLO~1\LIVESO~1.DLL
CODEBASE = https://simulcast.ma...b/LiveSound.dll

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.micros...b?1237503264140

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9f.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\KEVIN~1.DES\LOCALS~1\Temp\3.tmp||C:\DOCUME~1\KEVIN~1.DES\LOCALS~1\Temp\8.tmp


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,891 bytes
Report generated in 0.234 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

    Advertisements

Register to Remove


#2 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 19 October 2009 - 07:37 PM

Hello and welcome to WTT. :)

Let's start off with two more scanners please, followed by scanning a few files as well. You seem to have a nasty infection on board here and I would like to confirm a few things before we continue any further.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results soon.
  • Follow the instructions that pop up for posting the results and then click Ok.
  • The black and message box window shall then disappear.
  • Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.


  • Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
  • Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
  • Physically disconnect your machine from the internet as your system will be unprotected.
  • Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
  • Click the Posted Image tab at the bottom.
  • Now press the Posted Image button.
  • A box will pop up, check the boxes beside All Seven options/scan area
    Posted Image
  • Now click OK.
  • Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
  • The scan will take a little while to run, so let it go unhindered.
  • Once it is done, click the Save Report button. Posted Image
  • Save it as RepealScan and save it to your desktop
  • Reconnect to the internet.
  • Post the contents of that log in your reply please.

Submit File to Online Scanner

There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • C:\Windows\explorer.exe
  • C:\Windows\system32\svchost.exe
  • C:\Windows\system32\userinit.exe
  • c:\windows\system32\spoolsv.exe
  • C:\WINDOWS\SYSTEM32\lsass.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.


Post back with those logs in your next reply and give me an update of the condition of your system.

Thanks.

With Regards,
Extremeboy

Edited by extremeboy, 19 October 2009 - 07:40 PM.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#3 oooicu812o

oooicu812o

    Authentic Member

  • Authentic Member
  • PipPip
  • 20 posts

Posted 19 October 2009 - 09:57 PM

It did not give me the DDS.txt or Attach.txt files it just gave me the box that said I needed to save them.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/19 22:29
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xBA6DB000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 00000056
Image Path: \Driver\00000056
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 00000904
Image Path: 00000904
Address: 0x87A6B000 Size: 41217 File Visible: No Signed: -
Status: -

Name: 00000904
Image Path: 00000904
Address: 0xAF346000 Size: 78336 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: 214068b9.sys
Image Path: C:\WINDOWS\System32\drivers\214068b9.sys
Address: 0xB020F000 Size: 96256 File Visible: No Signed: -
Status: -

Name: 648257fa.sys
Image Path: C:\WINDOWS\System32\drivers\648257fa.sys
Address: 0xB0227000 Size: 96640 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAFC11000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBAE0C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAEF26000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\i386\symndis.sys
Status: Size mismatch (API: 182656, Raw: 34424)

Path: c:\i386\ndis.sys
Status: Size mismatch (API: 182656, Raw: 162432)

Path: C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\fddg.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1858\port88.exe
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\ntos.exe
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\wsnpoem
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\msdvdr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\msdvdr.pif
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\msdvdr.sys
Status: Invisible to the Windows API!

Path: c:\windows\$ntuninstallkb826942$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 167552)

Path: c:\windows\$ntservicepackuninstall$\ndis.sys
Status: Size mismatch (API: 182656, Raw: 182912)

Path: C:\WINDOWS\system32\drivers\214068b9.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\2164cb8c.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\648257fa.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\drivers\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\asstfz.sys
Status: Invisible to the Windows API!

Path: c:\windows\system32\dllcache\ndis.sys
Status: Size mismatch (API: 182656, Raw: 212224)

Path: C:\Documents and Settings\Kevin.DESKTOP\My Documents\Stata8\ado\base\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Kevin.DESKTOP\My Documents\Stata8\ado\updates\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Kevin\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Kevin.DESKTOP\Application Data\Macromedia\Flash Player\#SharedObjects\K88BX57G\void.snocap.com\s
Status: Size mismatch (API: 182656, Raw: 0)

Path: C:\Documents and Settings\Kevin.DESKTOP\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
Status: Size mismatch (API: 182656, Raw: 0)

Processes
-------------------
Path: C:\WINDOWS\system32\msdvdr.pif
PID: 1800 Status: Hidden from the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x88932f20]!

#: 025 Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xba785028

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xae26e795

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xae26c785

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xba778b00

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xba7795dc

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xba785120

#: 116 Function Name: NtOpenFile
Status: Hooked by "a347bus.sys" at address 0xba778b40

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xae26c845

#: 160 Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xba7795fc

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xba785076

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xba784550

#: 247 Function Name: NtSetValueKey
Status: Hooked by "sptd.sys" at address 0xba7bd148

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x8806e8e8, TID: 1640]
Process: svchost.exe (PID: 1216) Address: 0x00a51f3c Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x88b85bf8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x880dc970 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x888470e8 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x88bd0398 Size: 15

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x88a06578 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x88b44008 Size: 99

Object: Hidden Code [Driver: Disk, IRP_MJ_CREATE]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_CLOSE]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_READ]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_WRITE]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_POWER]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: Disk, IRP_MJ_PNP]
Process: System Address: 0x88b85eb0 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x88bd0808 Size: 15

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_EA]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_EA]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SHUTDOWN]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLEANUP]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_SECURITY]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SET_QUOTA]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x889edaf0 Size: 99

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x88bd0a40 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x886be6d0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x886be6d0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x886be6d0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x886be6d0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x886be6d0 Size: 15

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x886be6d0 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLOSE]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8880e598 Size: 11

Object: Hidden Code [Driver: Rdbss, IRP_MJ_WRITE]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_EA]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_EA]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SHUTDOWN]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CLEANUP]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_SECURITY]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_POWER]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Rdbss, IRP_MJ_SET_QUOTA]
Process: System Address: 0x880e8a90 Size: 15

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x87d792d8 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x886cd470 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x880d9e30 Size: 15

Object: Hidden Code [Driver: NpfsЅట卆浲, IRP_MJ_CREATE]
Process: System Address: 0x886b97c8 Size: 15

Object: Hidden Code [Driver: NpfsЅట卆浲, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x886b97c8 Size: 15

Object: Hidden Code [Driver: NpfsЅట卆浲, IRP_MJ_CLOSE]
Process: System Address: 0x886b97c8 Size: 15

Object: Hidden Code [Driver: NpfsЅట卆浲, IRP_MJ_READ]
Process: System Address: 0x8876a158 Size: 11

Object: Hidden Code Hidden Services
-------------------
Service Name: 214068b9
Image Path: C:\WINDOWS\System32\drivers\214068b9.sys

Service Name: 2164cb8c
Image Path: C:\WINDOWS\System32\drivers\2164cb8c.sys

Service Name: 648257fa
Image Path: C:\WINDOWS\System32\drivers\648257fa.sys

Service Name: dlhkzrpqqdaonbu
Image Path: C:\WINDOWS\system32\drivers\asstfz.sys

Service Name: mbamswissarmy
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys

==EOF==
Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.19 -
AhnLab-V3 5.0.0.2 2009.10.17 -
AntiVir 7.9.1.35 2009.10.18 -
Antiy-AVL 2.0.3.7 2009.10.16 -
Authentium 5.1.2.4 2009.10.18 -
Avast 4.8.1351.0 2009.10.18 -
AVG 8.5.0.420 2009.10.18 -
BitDefender 7.2 2009.10.19 -
CAT-QuickHeal 10.00 2009.10.18 -
ClamAV 0.94.1 2009.10.19 -
Comodo 2653 2009.10.19 -
DrWeb 5.0.0.12182 2009.10.18 -
eSafe 7.0.17.0 2009.10.18 Win32.Banker
eTrust-Vet None 2009.10.16 -
F-Prot 4.5.1.85 2009.10.18 -
F-Secure 9.0.15300.0 2009.10.16 -
Fortinet 3.120.0.0 2009.10.16 -
GData 19 2009.10.19 -
Ikarus T3.1.1.72.0 2009.10.19 -
Jiangmin 11.0.800 2009.10.19 -
K7AntiVirus 7.10.872 2009.10.16 -
Kaspersky 7.0.0.125 2009.10.19 -
McAfee 5775 2009.10.18 -
McAfee+Artemis 5775 2009.10.18 -
McAfee-GW-Edition 6.8.5 2009.10.19 -
Microsoft 1.5101 2009.10.19 -
NOD32 4520 2009.10.18 -
Norman 6.03.02 2009.10.17 -
nProtect 2009.1.8.0 2009.10.18 -
Panda 10.0.2.2 2009.10.18 -
PCTools 4.4.2.0 2009.10.18 -
Prevx 3.0 2009.10.19 -
Rising 21.52.00.00 2009.10.19 -
Sophos 4.46.0 2009.10.19 -
Sunbelt 3.2.1858.2 2009.10.18 -
Symantec 1.4.4.12 2009.10.19 -
TheHacker 6.5.0.2.046 2009.10.19 -
TrendMicro 8.950.0.1094 2009.10.19 -
VBA32 3.12.10.11 2009.10.18 -
ViRobot 2009.10.19.1991 2009.10.19 -
VirusBuster 4.6.5.0 2009.10.18 -

Additional information
File size: 13312 bytes
MD5   : bf2466b3e18e970d8a976fb95fc1ca85
SHA1  : de5a73cbb5f51f64c53fb4277ef2c23e70db123f
SHA256: f7794b5d12dc5d820a162850f4388e2aa80426ad07cb221799cf941c682ab501
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x10014BD<BR>timedatestamp.....: 0x48025186 (Sun Apr 13 20:31:34 2008)<BR>machinetype.......: 0x14C (Intel I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0x10D0 0x1200 6.00 7d33d24893e1db0fa0ecbd7a8fa637bd<BR>.data 0x3000 0x6C 0x200 0.20 86a789a893c60d5e207d053188cdc250<BR>.rsrc 0x4000 0x1B30 0x1C00 7.15 54488850c25258396b2c9492c36b0bd5<BR><BR>( 0 imports )<BR><BR><BR>( 0 exports )<BR>
TrID&nbsp;&nbsp;: File type identification<BR>Win32 Executable Generic (42.3%)<BR>Win32 Dynamic Link Library (generic) (37.6%)<BR>Generic Win/DOS Executable (9.9%)<BR>DOS Executable Generic (9.9%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: <A href="http://www.threatexp...976fb95fc1ca85" target=_blank>http://www.threatexp...fb95fc1ca85</A>
ssdeep: 384:ggHUJZXmtGDWkzLWT4a8WfMptsN0BhgO49:338z4zRfMpy0BF4
PEiD&nbsp;&nbsp;: -
PDFiD&nbsp;: ['-', None, None]
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<BR>-

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.17 -
AhnLab-V3 5.0.0.2 2009.10.17 -
AntiVir 7.9.1.35 2009.10.16 -
Antiy-AVL 2.0.3.7 2009.10.16 -
Authentium 5.1.2.4 2009.10.17 -
Avast 4.8.1351.0 2009.10.17 -
AVG 8.5.0.420 2009.10.17 -
BitDefender 7.2 2009.10.18 -
CAT-QuickHeal 10.00 2009.10.16 -
ClamAV 0.94.1 2009.10.17 -
Comodo 2637 2009.10.18 -
DrWeb 5.0.0.12182 2009.10.17 -
eSafe 7.0.17.0 2009.10.15 -
eTrust-Vet 35.1.7072 2009.10.16 -
F-Prot 4.5.1.85 2009.10.17 -
F-Secure 9.0.15300.0 2009.10.16 -
Fortinet 3.120.0.0 2009.10.16 -
GData 19 2009.10.18 -
Ikarus T3.1.1.72.0 2009.10.17 -
Jiangmin 11.0.800 2009.10.17 -
K7AntiVirus 7.10.872 2009.10.16 -
Kaspersky 7.0.0.125 2009.10.18 -
McAfee 5774 2009.10.17 -
McAfee+Artemis 5774 2009.10.17 -
McAfee-GW-Edition 6.8.5 2009.10.17 -
Microsoft 1.5101 2009.10.17 -
NOD32 4518 2009.10.17 -
Norman 6.03.02 2009.10.17 -
nProtect 2009.1.8.0 2009.10.17 -
Panda 10.0.2.2 2009.10.17 -
PCTools 4.4.2.0 2009.10.17 -
Rising 21.51.44.00 2009.10.16 -
Sophos 4.46.0 2009.10.17 -
Sunbelt 3.2.1858.2 2009.10.17 -
Symantec 1.4.4.12 2009.10.18 -
TheHacker 6.5.0.2.045 2009.10.17 -
TrendMicro 8.950.0.1094 2009.10.17 -
VBA32 3.12.10.11 2009.10.16 -
ViRobot 2009.10.17.1990 2009.10.17 -
VirusBuster 4.6.5.0 2009.10.17 -

Additional information
File&nbsp;size: 57856 bytes
MD5&nbsp;&nbsp;&nbsp;: d8e14a61acc1d4a6cd0d38aebac7fa3b
SHA1&nbsp;&nbsp;: 0e5d1a09a103eae3bd693c7a1c7531fde2e2402b
SHA256: 130d686a220af97ebf33dd481b79990f259b4ee38dd95a35cd3d0f0517790ff0
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x461B<BR>timedatestamp.....: 0x48025CE1 (Sun Apr 13 21:20:01 2008)<BR>machinetype.......: 0x14C (Intel I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0xBA70 0xBC00 5.96 d9b4f450aa98b3936118e3a3c42ed657<BR>.data 0xD000 0x13B4 0x1400 2.24 887444c39cada5bd753c428783e0009b<BR>.rsrc 0xF000 0xC68 0xE00 6.18 8b7aa680680d5c40e90647de12607611<BR><BR>( 0 imports )<BR><BR><BR>( 0 exports )<BR>
TrID&nbsp;&nbsp;: File type identification<BR>Win64 Executable Generic (59.6%)<BR>Win32 Executable MS Visual C++ (generic) (26.2%)<BR>Win32 Executable Generic (5.9%)<BR>Win32 Dynamic Link Library (generic) (5.2%)<BR>Generic Win/DOS Executable (1.3%)
ThreatExpert: <A href="http://www.threatexp...0d38aebac7fa3b" target=_blank>http://www.threatexp...8aebac7fa3b</A>
ssdeep: 768:rE4EVpgSavGlAMm1yMvsCeq+H8O+j8f1b1mDV3D+JMG/dXplJigo:agSHlAMmxUC/OUVIrOgo
PEiD&nbsp;&nbsp;: -
RDS&nbsp;&nbsp;&nbsp;: NSRL Reference Data Set<BR>-

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.16 -
AhnLab-V3 5.0.0.2 2009.10.16 -
AntiVir 7.9.1.35 2009.10.16 -
Antiy-AVL 2.0.3.7 2009.10.16 -
Authentium 5.1.2.4 2009.10.17 -
Avast 4.8.1351.0 2009.10.17 -
AVG 8.5.0.420 2009.10.16 -
BitDefender 7.2 2009.10.17 -
CAT-QuickHeal 10.00 2009.10.16 -
ClamAV 0.94.1 2009.10.17 -
Comodo 2627 2009.10.17 -
DrWeb 5.0.0.12182 2009.10.17 -
eSafe 7.0.17.0 2009.10.15 -
eTrust-Vet 35.1.7072 2009.10.16 -
F-Prot 4.5.1.85 2009.10.16 -
F-Secure 9.0.15300.0 2009.10.16 -
Fortinet 3.120.0.0 2009.10.16 -
GData 19 2009.10.17 -
Ikarus T3.1.1.72.0 2009.10.16 -
Jiangmin 11.0.800 2009.10.16 -
K7AntiVirus 7.10.872 2009.10.16 -
Kaspersky 7.0.0.125 2009.10.17 -
McAfee 5773 2009.10.16 -
McAfee+Artemis 5773 2009.10.16 -
McAfee-GW-Edition 6.8.5 2009.10.16 -
Microsoft 1.5101 2009.10.16 -
NOD32 4516 2009.10.17 -
Norman 6.03.02 2009.10.16 -
nProtect 2009.1.8.0 2009.10.17 -
Panda 10.0.2.2 2009.10.16 -
PCTools 4.4.2.0 2009.10.16 -
Prevx 3.0 2009.10.17 -
Rising 21.51.44.00 2009.10.16 -
Sophos 4.46.0 2009.10.17 -
Sunbelt 3.2.1858.2 2009.10.17 -
Symantec 1.4.4.12 2009.10.17 -
TheHacker 6.5.0.2.044 2009.10.17 -
TrendMicro 8.950.0.1094 2009.10.16 -
VBA32 3.12.10.11 2009.10.16 -
ViRobot 2009.10.16.1988 2009.10.16 -
VirusBuster 4.6.5.0 2009.10.16 -
Additional information
File size: 26112 bytes
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x54AD
timedatestamp.....: 0x480251A8 (Sun Apr 13 20:32:08 2008)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520E 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14C 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0xB50 0xC00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc

( 0 imports )


( 0 exports )

TrID : File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
ThreatExpert: http://www.threatexp...e16d24ec7380f89
ssdeep: 768:0RMJi8jDLIDSAaQFxfftjaLacmkLGKOq:0RMJbDMDSA7FxffJaLaSLG9q
PEiD : -
RDS : NSRL Reference Data Set

Antivirus Version Last Update Result
a-squared 4.5.0.41 2009.10.19 -
AhnLab-V3 5.0.0.2 2009.10.17 -
AntiVir 7.9.1.35 2009.10.19 -
Antiy-AVL 2.0.3.7 2009.10.19 -
Authentium 5.1.2.4 2009.10.18 -
Avast 4.8.1351.0 2009.10.18 -
BitDefender 7.2 2009.10.19 -
CAT-QuickHeal 10.00 2009.10.18 -
ClamAV 0.94.1 2009.10.19 -
Comodo 2655 2009.10.19 -
DrWeb 5.0.0.12182 2009.10.19 -
eSafe 7.0.17.0 2009.10.18 -
eTrust-Vet 35.1.7074 2009.10.19 -
F-Prot 4.5.1.85 2009.10.18 -
Fortinet 3.120.0.0 2009.10.19 -
GData 19 2009.10.19 -
Ikarus T3.1.1.72.0 2009.10.19 -
Jiangmin 11.0.800 2009.10.19 -
K7AntiVirus 7.10.872 2009.10.16 -
Kaspersky 7.0.0.125 2009.10.19 -
McAfee 5775 2009.10.18 -
McAfee+Artemis 5775 2009.10.18 -
McAfee-GW-Edition 6.8.5 2009.10.19 -
Microsoft 1.5101 2009.10.19 -
NOD32 4521 2009.10.19 -
Norman 6.03.02 2009.10.17 -
nProtect 2009.1.8.0 2009.10.19 -
Panda 10.0.2.2 2009.10.18 -
PCTools 4.4.2.0 2009.10.18 -
Prevx 3.0 2009.10.19 -
Rising 21.52.03.00 2009.10.19 -
Sophos 4.46.0 2009.10.19 -
Sunbelt 3.2.1858.2 2009.10.18 -
Symantec 1.4.4.12 2009.10.19 -
TheHacker 6.5.0.2.046 2009.10.19 -
TrendMicro 8.950.0.1094 2009.10.19 -
VBA32 3.12.10.11 2009.10.18 -
ViRobot 2009.10.19.1993 2009.10.19 -
VirusBuster 4.6.5.0 2009.10.18 -
Additional information
File size: 14336 bytes
MD5 : 8f078ae4ed187aaabc0a305146de6716
SHA1 : da0ff4006859a7580aba81f486f692dead2014fe
SHA256: 16593943861d03d508f37f60e41240dee14221e76f625835487f73d5010ac18a
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x2509
timedatestamp.....: 0x41107ED6 (Wed Aug 4 08:14:46 2004)
machinetype.......: 0x14C (Intel I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x2C00 0x2C00 6.29 6fc4d075dfb37185ffae8eacb467b822
.data 0x4000 0x1F0 0x200 1.61 553c0ebbbc67abab785f2065a062b522
.rsrc 0x5000 0x418 0x600 2.54 2997285df9158db5a62ffb42a2fd0d07

( 0 imports )


( 0 exports )

TrID : File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
ThreatExpert: http://www.threatexp...c0a305146de6716
ssdeep: 384:cpiRrTp13SkhnRCwOV5JpeLCdw9rDpWCl8CbW:dT/3Ska6Lh8C
PEiD : -
PDFiD : ['-', None, None]
RDS : NSRL Reference Data Set

( Gateway )

Gateway Operating System Windows XP Pro Edition SP2: SVCHOST.EXE, svchost.exe
( Microsoft )

#4 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 20 October 2009 - 02:12 PM

Hello.

You have several pieces of malware on your system. One of them is a backdoor trojan and infostealer.

Your system is seriously infected. I strongly recommend a format. Please let me know.

Posted ImageRootkit Threat

Unfortunatly One or more of the identified infections is a Rootkit/backdoor trojan.

IMPORTANT NOTE: Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read: Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Tell me what you want to do.

With Regards,
Extremeboy
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

#5 extremeboy

extremeboy

    Retired WTT Malware Disintegrator Teacher

  • Authentic Member
  • PipPipPipPipPip
  • 1,433 posts

Posted 25 October 2009 - 09:12 AM

Due to inactivity this topic will be closed. If you need help please start a new thread.
If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

The help you receive here is free. If you wish to show your appreciation, you may wish to Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users