Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Rogue Security Suite help

Started by flipper, Jul 28 2009 07:57 PM

This topic is locked
Go to first unread post

2 replies to this topic

#1
flipper

Posted 28 July 2009 - 07:57 PM

New Member

Members
2 posts

Hi to everyone

HP AMD Athlon 64 processor 3200+
1.79ghz - 960 ram

O/S Windows XP Home Ed.
Version 2002 SP 3

My system recently got infected with the Rogue security suite System Security 2009.I managed to remove it from start up using Windows Defender>systems tools>start up programs>remove[wether this was because WD was not on the desktop or startup menu or just pure luck as all apps would either not respond or would be identified as virus infection] WD scan would not respond.

At that time I was using Virgin Media's PC Guard suite with MBAM[free version] and Windows Defender.

Got a link to your site and used the mbam won't run fix.Ran mbam which deleted many Trojans Password Stealers and other malware from my system[I still have the logs if you need them].So many thanks and kudos to your staff.

I also used RootRepeal which deleted the hjgrui........sys file.

I'm now using Online Armour 3.5[free version] WindowsLiveOneCare and MBAM[free version] as protection.

I'm almost sure my system is still infected and would greatly appreciate any help or suggestions.

Apologies for any mistakes I make in the forum as I'm a noob[if not knob] at this.
My responses to your queries might be slow due to work commitments but I will act on them.

==================================================
Scan Start Time: 2009/07/28 17:35
Program Version: Version 1.3.2.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF1FB8000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AF2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP9736
Image Path: \Driver\PCI_PNP9736
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEEF06000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spjs.sys
Image Path: spjs.sys
Address: 0xF73AF000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Desktop\mbam-setup.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\HP_Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\All Users\Documents\BL DOWNloads\BL stuff\music\Frou Frou - Discography\Releases\Frou Frou - It's Good To Be In Love (Single) (2004)\Frou Frou - It's Good To Be In Love (Single) - 02 - It's Good To Be In Love (DJ J. Cornetto Remix).mp3
Status: Locked to the Windows API!

SSDT
-------------------
#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cce60

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd5c0

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb610

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da0d0

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8430

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb2c0

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8580

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8960

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8060

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9a40

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca5a0

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20dab50

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d89e0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9330

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cafe0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da070

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da0a0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc5d0

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9780

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da760

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8c20

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9450

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c8300

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9f00

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd250

#: 145 Function Name: NtQueryDirectoryFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cca10

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da010

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20da040

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd740

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9b20

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc180

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9d80

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cac90

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d9ff0

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cb9d0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca3c0

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20dae10

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca720

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20d8c40

#: 249 Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc4d0

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cae40

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20caac0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca900

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20c9800

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20ca1a0

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cc7f0

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf20cd400

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x8636b1f8 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x85d18500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_CREATE]
Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_CLOSE]
Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_POWER]
Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: avbmrgd2ȅఉ䵃慄歶, IRP_MJ_PNP]
Process: System Address: 0x85e91500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x85f76500 Address: 121

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CREATE]
Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_CLOSE]
Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: prodrv06Ѕఐ卆浩, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe1ec8910 Address: 1776

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x85f7a1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x863da1f8 Address: 121

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CREATE]
Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: prohlp02, IRP_MJ_CLOSE]
Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: prohlp02, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xe19e8080 Address: 789

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85c991f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x85ef31f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x8593e1f8 Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x8593e1f8 Address: 121

==EOF==

Database version: 2513
Windows 5.1.2600 Service Pack 3

28/07/2009 14:36:15
mbam-log-2009-07-28 (14-36-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 191241
Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#2
flipper

Posted 29 July 2009 - 08:40 AM

New Member

Members
2 posts

flipper, on Jul 28 2009, 08:57 PM, said:

Sorry for the mistake with the rootrepeal log too much caffiene and nicotine not enough sleep.
logs as requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:19:38, on 28/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\RunServices: [Task Manager] stmhost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [jurubeyabo] Rundll32.exe "C:\WINDOWS\system32\nivunaso.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\blueyonder-istconfig.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.download.microsoft.com
O15 - Trusted Zone: http://*.update.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1228501487328
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1228503515171
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.blueyonder.co.uk/assets/tool/fi...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: qoMGvVnL - qoMGvVnL.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Network Connections Logs (Netlogs) - Unknown owner - C:\WINDOWS\system32\perfs.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6306 bytes

Malwarebytes' Anti-Malware 1.39
Database version: 2513
Windows 5.1.2600 Service Pack 3

28/07/2009 14:36:15
mbam-log-2009-07-28 (14-36-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 191241
Time elapsed: 1 hour(s), 17 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#3
sjpritch25

Posted 31 July 2009 - 04:22 PM

Forum Deity

Experts
1,605 posts

Gender:Male
Location:West Coast of Florida

Sorry for the delay

Welcome to Malwarebytes !!!! <_<

We need to see some additional information about what is happening in your machine.
Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.
When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
The instructions here ask you to attach the Attach.txt.
Instead of attaching, please copy/past both logs into your next reply.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Microsoft Valuable Professional---MVP Consumer Security 2007-2010
Windows 7 Ultimate 64bit
Gigabyte P55A-UD4P Motherboard Intel i5 750 G.SKILL Ripjaws Series 4GB DDR3 1333 1TB WD 32mb cache
60gb OCZ Vertex Turbo SSD (BOOT drive)Noctua NH-U12P SE2 HeatsinkAntec P183 Case

Back to Resolved HijackThis Logs · Next Unread Topic →