Geeks to Go Forums: webpage redirect, linked to njg.exe [Solved] - Geeks to Go Forums

Jump to content

i Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or start a new topic of your own. Joining allows you to enjoy all this forum has to offer. Learn more in our Welcome Guide. What are you waiting for? Click here to join for free today!
  • (6 Pages)
  • +
  • « First
  • 2
  • 3
  • 4
  • 5
  • 6

webpage redirect, linked to njg.exe [Solved] Malware

#46 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 02:49 PM

I can't seem to find my upload post or any thread started by me at spykiller. Should I just start a new topic again?

Also, just got another popup. I spoke too soon.

This post has been edited by serpntene: 07 February 2010 - 02:54 PM

0

#47 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 03:09 PM

View Postserpntene, on Feb 7 2010, 04:49 PM, said:

I can't seem to find my upload post or any thread started by me at spykiller. Should I just start a new topic again?

Also, just got another popup. I spoke too soon.

I removed the last one. The files were clean.
0

#48 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 03:12 PM

Send me a screen shot of that popup page.

  • You can do this by pressing the PrintScreen key.
  • Then go to Start > All Programs > Accessories > Paint
  • In Paint, go up to Edit > Paste
  • Then Go up to File > Save As. Click the drop-down box to change the "Save As Type" to "JPEG", name it what you want, and save it on the desktop.
  • Then click Add Reply in this topic.
  • Scroll down to Attachments
  • Click the Browse button.
  • Locate the file you just saved, click on it, then click Open.
  • Upload the file
  • Click Manage Current Attachment and click on the green option.
  • Add a Reply

This post has been edited by JSntgRvr: 07 February 2010 - 03:14 PM

0

#49 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 05:14 PM

I cannot download the utility to the infected computer. Should I try downloading from a clean one to a flash drive or disc?

The popup page is blank but if another one comes up I will get a screen of it for you.

This post has been edited by serpntene: 07 February 2010 - 05:15 PM

0

#50 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 06:47 PM

This is a screen of a redirect even though its labeled popup. I was on a music search engine and got sent here instead of to the website's database.

Four attempts to upload the file have failed. Would you like the url?

This post has been edited by serpntene: 07 February 2010 - 06:58 PM

0

#51 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 08:33 PM

View Postserpntene, on Feb 7 2010, 08:47 PM, said:

This is a screen of a redirect even though its labeled popup. I was on a music search engine and got sent here instead of to the website's database.

Four attempts to upload the file have failed. Would you like the url?

Delete that file.

C:\Plugins

Transfer mbam-clean.exe once you have removed Malwarebytes Anti-malware and try to reinstall.
0

#52 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 09:00 PM

File deleted. Mbam uninstalled completely. Still unable to download mbam clean. I tried before and after a reboot.
0

#53 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 09:11 PM

Hi, :)

Please download MBR.EXE by GMER. Save the file in your Root directory, C:\, then bring your computer to a Command prompt.

Go to Start -> Run, type CMD and click OK. At the prompt type the following and press Enter after each command:

cd C:\
MBR.EXE -t

The program will check the Master Boot Record and will produce a report. Post the contents of that report i your next reply.

Type Exit at the Command prompt and press Enter to return back to Windows.
0

#54 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 09:20 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spip.sys >>UNKNOWN [0x837CC938]<<
kernel: MBR read successfully
user & kernel MBR OK
0

#55 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 09:27 PM

Please run the following utility and post the resulting report:

http://noahdfear.net...ds/profiles.exe
0

#56 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 09:36 PM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User.WINDOWS
AllUsersProfile REG_SZ All Users.WINDOWS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService.NT AUTHORITY

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService.NT AUTHORITY

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-515967899-1801674531-839522115-1004
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Rebecca Cooper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-515967899-1801674531-839522115-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator.RCOOPER

SystemRoot REG_SZ C:\WINDOWS
0

#57 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 09:48 PM

There seems to be a rootkit hooking the MBR.

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as Query.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the Query.bat file. Post the resulting report.



Quote

@Echo OFF
cd /d %~dp0
sc query type= driver group= "SCSI Miniport" > Logit.txt
Start Logit.txt
Del %0

0

#58 User is offline   JSntgRvr 

  • Global Moderator
  • Group: Global Moderator
  • Posts: 8,016
  • Joined: 30-November 05
  • Location:Puerto Rico
  • Operating System:Windows XP, VISTA Home Premium

Posted 07 February 2010 - 09:59 PM

I am about to log off for the day. Lets attempt to run some rootkit applications:

Please download Rootkit Revealer (It should be part of the Top 10 Downloads list)
  • Unzip it to your desktop.
  • Open the rootkitrevealer folder and double-click rootkitrevealer.exe
  • Close ALL windows and programs and do nothing on the pc while the scan runs. This includes games, browser windows, email clients, etc.
  • Click the Scan button (bottom right)
  • It may take a while to scan (don't do anything while it's running)
  • When it's done, go up to File > Save. Choose to save it to your desktop.
  • Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

================================================

  • Download RootRepeal from the following location and save it to your desktop.

  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

0

#59 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 10:38 PM

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
0

#60 User is offline   serpntene 

  • Member
  • PipPip
  • Group: Member
  • Posts: 60
  • Joined: 02-January 10
  • Operating System:winxp

Posted 07 February 2010 - 11:18 PM

Rootkit revealer scan found 24 questionable objects but when I tried to save the text file log, it never appeared on the desktop. I tried a second time, thinking I must have done something wrong, to save it to the desktop and the text file appeared to have already been saved so I rechecked path etc and it was indeed set to save to desktop. It just never appeared ON the desktop even though the save menu showed that it was there.

I rescanned and this time when I chose to save, found the file showing as still there so right clicked and opened it. It is apparently just hidden.


HKU\S-1-5-21-515967899-1801674531-839522115-1004\Console 1/30/2010 7:38 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 3/30/2009 12:04 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 3/30/2009 12:04 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Swearware\backup\winsock2 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 1/30/2010 5:00 PM 0 bytes Security mismatch.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 2/6/2010 11:20 PM 0 bytes Access is denied.






ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/08 00:02
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF32FE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D8B000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\REBECC~1\LOCALS~1\Temp\mbr.sys
Address: 0xF7C57000 Size: 20864 File Visible: No Signed: -
Status: -

Name: PCI_PNP2308
Image Path: \Driver\PCI_PNP2308
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF7D87000 Size: 4128 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF299E000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spip.sys
Image Path: spip.sys
Address: 0xF772E000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0xf7eaecfe

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0xf7eaecf4

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0xf7eaed03

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0xf7eaed0d

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spip.sys" at address 0xf774dca2

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spip.sys" at address 0xf774e030

#: 098 Function Name: NtLoadKey
Status: Hooked by "<unknown>" at address 0xf7eaed12

#: 119 Function Name: NtOpenKey
Status: Hooked by "spip.sys" at address 0xf772f0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0xf7eaece0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0xf7eaece5

#: 160 Function Name: NtQueryKey
Status: Hooked by "spip.sys" at address 0xf774e108

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spip.sys" at address 0xf774df88

#: 193 Function Name: NtReplaceKey
Status: Hooked by "<unknown>" at address 0xf7eaed1c

#: 204 Function Name: NtRestoreKey
Status: Hooked by "<unknown>" at address 0xf7eaed17

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0xf7eaed08

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0xf7eaecef

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x837881f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x835e91f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x836cd1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x8378b1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x82f5d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x82f5d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f5d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f5d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x82f5d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x82f5d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x835d01f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x82f551f8 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_CREATE]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_CLOSE]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_READ]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_SHUTDOWN]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_CLEANUP]
Process: System Address: 0x831b4500 Size: 121

Object: Hidden Code [Driver: Cdfs؅䵃慖؁ఇ浍浓絠舸Ā, IRP_MJ_PNP]
Process: System Address: 0x831b4500 Size: 121

==EOF==

This post has been edited by serpntene: 07 February 2010 - 11:28 PM

0

Share this topic:


  • (6 Pages)
  • +
  • « First
  • 2
  • 3
  • 4
  • 5
  • 6

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


Advertisements do not imply our endorsement of that product or service. Join to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks mentioned on this page are the property of their respective owners.

© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy | Advertising | Contact | Link to us