Jump to content

Rogue Security Suite help


Recommended Posts

Hi to everyone

HP AMD Athlon 64 processor 3200+

1.79ghz - 960 ram

O/S Windows XP Home Ed.

Version 2002 SP 3

My system recently got infected with the Rogue security suite System Security 2009.I managed to remove it from start up using Windows Defender>systems tools>start up programs>remove[wether this was because WD was not on the desktop or startup menu or just pure luck as all apps would either not respond or would be identified as virus infection] WD scan would not respond.

At that time I was using Virgin Media's PC Guard suite with MBAM[free version] and Windows Defender.

Got a link to your site and used the mbam won't run fix.Ran mbam which deleted many Trojans Password Stealers and other malware from my system[i still have the logs if you need them].So many thanks and kudos to your staff.

I also used RootRepeal which deleted the hjgrui........sys file.

I'm now using Online Armour 3.5[free version] WindowsLiveOneCare and MBAM[free version] as protection.

I'm almost sure my system is still infected and would greatly appreciate any help or suggestions.

Apologies for any mistakes I make in the forum as I'm a noob[if not knob] at this.

My responses to your queries might be slow due to work commitments but I will act on them.

==================================================

Scan Start Time: 2009/07/28 17:35

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF1FB8000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AF2000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PCI_PNP9736

Image Path: \Driver\PCI_PNP9736

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEEF06000 Size: 49152 File Visible: No Signed: -

Status: -

Name: spjs.sys

Image Path: spjs.sys

Address: 0xF73AF000 Size: 1048576 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\mbam-setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Documents\BL DOWNloads\BL stuff\music\Frou Frou - Discography\Releases\Frou Frou - It's Good To Be In Love (Single) (2004)\Frou Frou - It's Good To Be In Love (Single) - 02 - It's Good To Be In Love (DJ J. Cornetto Remix).mp3

Status: Locked to the Windows API!

SSDT

-------------------

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cce60

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd5c0

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb610

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da0d0

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8430

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb2c0

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8580

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8960

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8060

#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9a40

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca5a0

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20dab50

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d89e0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9330

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cafe0

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da070

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da0a0

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc5d0

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9780

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da760

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8c20

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9450

#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8300

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9f00

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd250

#: 145 Function Name: NtQueryDirectoryFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cca10

#: 160 Function Name: NtQueryKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da010

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da040

#: 180 Function Name: NtQueueApcThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd740

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9b20

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc180

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9d80

#: 206 Function Name: NtResumeThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cac90

#: 207 Function Name: NtSaveKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9ff0

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb9d0

#: 213 Function Name: NtSetContextThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca3c0

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20dae10

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca720

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8c40

#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc4d0

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cae40

#: 254 Function Name: NtSuspendThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20caac0

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca900

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9800

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca1a0

#: 262 Function Name: NtUnloadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc7f0

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd400

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_CREATE]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_CLOSE]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_POWER]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_PNP]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CREATE]

Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CLOSE]

Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]

Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]

Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System Address: 0x8593e1f8 Address: 121

==EOF==

Database version: 2513

Windows 5.1.2600 Service Pack 3

28/07/2009 14:36:15

mbam-log-2009-07-28 (14-36-15).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 191241

Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Hi to everyone

HP AMD Athlon 64 processor 3200+

1.79ghz - 960 ram

O/S Windows XP Home Ed.

Version 2002 SP 3

My system recently got infected with the Rogue security suite System Security 2009.I managed to remove it from start up using Windows Defender>systems tools>start up programs>remove[wether this was because WD was not on the desktop or startup menu or just pure luck as all apps would either not respond or would be identified as virus infection] WD scan would not respond.

At that time I was using Virgin Media's PC Guard suite with MBAM[free version] and Windows Defender.

Got a link to your site and used the mbam won't run fix.Ran mbam which deleted many Trojans Password Stealers and other malware from my system[i still have the logs if you need them].So many thanks and kudos to your staff.

I also used RootRepeal which deleted the hjgrui........sys file.

I'm now using Online Armour 3.5[free version] WindowsLiveOneCare and MBAM[free version] as protection.

I'm almost sure my system is still infected and would greatly appreciate any help or suggestions.

Apologies for any mistakes I make in the forum as I'm a noob[if not knob] at this.

My responses to your queries might be slow due to work commitments but I will act on them.

==================================================

Scan Start Time: 2009/07/28 17:35

Program Version: Version 1.3.2.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xF1FB8000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF7AF2000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PCI_PNP9736

Image Path: \Driver\PCI_PNP9736

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xEEF06000 Size: 49152 File Visible: No Signed: -

Status: -

Name: spjs.sys

Image Path: spjs.sys

Address: 0xF73AF000 Size: 1048576 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\mbam-setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ

Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Documents\BL DOWNloads\BL stuff\music\Frou Frou - Discography\Releases\Frou Frou - It's Good To Be In Love (Single) (2004)\Frou Frou - It's Good To Be In Love (Single) - 02 - It's Good To Be In Love (DJ J. Cornetto Remix).mp3

Status: Locked to the Windows API!

SSDT

-------------------

#: 017 Function Name: NtAllocateVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cce60

#: 019 Function Name: NtAssignProcessToJobObject

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd5c0

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb610

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da0d0

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8430

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb2c0

#: 047 Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8580

#: 048 Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8960

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8060

#: 053 Function Name: NtCreateThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9a40

#: 057 Function Name: NtDebugActiveProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca5a0

#: 062 Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20dab50

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d89e0

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9330

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cafe0

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da070

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da0a0

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc5d0

#: 098 Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9780

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da760

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8c20

#: 122 Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9450

#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8300

#: 128 Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9f00

#: 137 Function Name: NtProtectVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd250

#: 145 Function Name: NtQueryDirectoryFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cca10

#: 160 Function Name: NtQueryKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da010

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da040

#: 180 Function Name: NtQueueApcThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd740

#: 193 Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9b20

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc180

#: 204 Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9d80

#: 206 Function Name: NtResumeThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cac90

#: 207 Function Name: NtSaveKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9ff0

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb9d0

#: 213 Function Name: NtSetContextThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca3c0

#: 224 Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20dae10

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca720

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8c40

#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc4d0

#: 253 Function Name: NtSuspendProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cae40

#: 254 Function Name: NtSuspendThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20caac0

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca900

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9800

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca1a0

#: 262 Function Name: NtUnloadDriver

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc7f0

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd400

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_CREATE]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_CLOSE]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_POWER]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_PNP]

Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CREATE]

Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CLOSE]

Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]

Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]

Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]

Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System Address: 0x8593e1f8 Address: 121

==EOF==

Database version: 2513

Windows 5.1.2600 Service Pack 3

28/07/2009 14:36:15

mbam-log-2009-07-28 (14-36-15).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 191241

Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Sorry for the mistake with the rootrepeal log too much caffiene and nicotine not enough sleep.

logs as requested.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:19:38, on 28/07/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Tall Emu\Online Armor\OAcat.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe

C:\Program Files\Microsoft Windows OneCare Live\winss.exe

C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\blueyonder IST\bin\mpbtn.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.download.microsoft.com

O15 - Trusted Zone: http://*.update.microsoft.com

O15 - Trusted Zone: http://*.windowsupdate.com

O15 - Trusted Zone: http://*.windowsupdate.microsoft.com

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228501487328

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228503515171

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - AppInit_DLLs:

O20 - Winlogon Notify: qoMGvVnL - qoMGvVnL.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--

End of file - 6306 bytes

Malwarebytes' Anti-Malware 1.39

Database version: 2513

Windows 5.1.2600 Service Pack 3

28/07/2009 14:36:15

mbam-log-2009-07-28 (14-36-15).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 191241

Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Sorry for the delay

Welcome to Malwarebytes !!!! <_<

We need to see some additional information about what is happening in your machine.

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your next reply.

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.