Author Topic: sound and video jittery- suspected malware?? (Read 14242 times)

random bits · « **on:** June 24, 2011, 10:10:22 AM »

hi there, I came across these forums when I googled the problems on my laptop. I can not play any videos or music as they are jittery and slow motion in ANY player. I have followed the required steps and the logs are attached below.
any help would be appreciated as the kids mainly use the laptop for videos etc.

[recovering disk space - old attachment deleted by admin]

SuperDave · « **Reply #1 on:** June 24, 2011, 04:24:55 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************
Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies)

P2P - I see you have P2P software installed on your machine (uTorrent). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
************************************************
This next scanner, ComboFix will not run with AVG on your computer. You can uninstall it and re-install it after the scan is completed or you can download and install one of the other free AV programs from the list below. You're better off removing AVG altogether because it is a resource hog. My preference would be MicroSoft Security Essentials.

Remember to only install one antivirus!

1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
******************************************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

random bits · « **Reply #2 on:** June 26, 2011, 09:37:15 AM »

Hi Dave, thank you for your help I have uninstalled avg and installed comodo,
scan results from combo fix are-

ComboFix 11-06-25.05 - Emma 26/06/2011 13:02:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1790.1336 [GMT 1:00]
Running from: c:\documents and settings\Emma\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-05-26 to 2011-06-26 )))))))))))))))))))))))))))))))
.
.
2011-06-24 15:56 . 2011-06-24 15:56   388096   ----a-r-   c:\documents and settings\Emma\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-06-24 15:56 . 2011-06-24 15:56   --------   d-----w-   c:\program files\trendmicro
2011-06-24 13:31 . 2011-06-24 13:31   --------   d-----w-   c:\documents and settings\Emma\Application Data\SUPERAntiSpyware.com
2011-06-24 13:31 . 2011-06-24 13:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-24 13:28 . 2011-06-24 13:31   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-06-24 12:54 . 2011-06-24 12:54   --------   d-----w-   c:\program files\CCleaner
2011-06-24 12:10 . 2011-06-24 12:10   --------   d-----w-   c:\program files\Common Files\Java
2011-06-24 11:56 . 2011-06-24 11:54   476904   ----a-w-   c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-24 11:56 . 2011-06-24 11:54   73728   ----a-w-   c:\windows\system32\javacpl.cpl
2011-06-24 11:56 . 2011-06-24 11:54   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-06-24 11:53 . 2011-06-24 11:53   --------   d-----w-   c:\program files\Java
2011-06-24 11:35 . 2011-06-24 11:35   --------   d-----w-   c:\documents and settings\Emma\Application Data\Malwarebytes
2011-06-24 11:32 . 2011-05-29 08:11   39984   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 11:32 . 2011-06-24 11:32   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-24 11:32 . 2011-05-29 08:11   22712   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-06-24 11:32 . 2011-06-24 11:32   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-06-22 22:08 . 2011-06-22 22:08   404640   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-18 20:12 . 2011-06-18 20:12   --------   d-----w-   c:\program files\Audible
2011-06-18 09:09 . 2011-06-18 09:10   --------   d-----w-   c:\program files\Astro Avenger 2
2011-06-10 23:46 . 2011-06-11 07:06   --------   d-----w-   c:\documents and settings\Emma\Application Data\skypePM
2011-06-10 23:46 . 2011-06-10 23:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype Extras
2011-06-10 23:45 . 2011-06-11 09:53   --------   d-----w-   c:\documents and settings\Emma\Application Data\Skype
2011-06-10 23:44 . 2011-06-11 09:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\Skype
2011-06-06 21:04 . 2011-06-06 21:04   --------   d-----w-   c:\program files\Microsoft Silverlight
2011-06-06 16:27 . 2011-06-06 16:27   --------   d-----w-   c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 10:33 . 2011-04-22 10:29   43520   ----a-w-   c:\windows\system32\CmdLineExt03.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-12-26 396152]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-07-29 98304]
"RTHDCPL"="RTHDCPL.EXE" [2009-07-28 18671104]
"TWebCamera"="c:\program files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" [2009-08-29 2446648]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Emma^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Emma\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2009-11-15 09:42   33120   ----a-w-   c:\program files\Alcohol Soft\Alcohol 120\AxAutoMntSrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 14:54   91520   ----a-w-   c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 05:42   110592   ----a-w-   c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveDiscoveryMemoryResident]
2007-01-12 15:16   462848   ----a-w-   c:\program files\NotsoSoftware\DriveDiscovery\NSSMR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2009-10-23 18:34   827904   ----a-w-   c:\program files\dvd43\DVD43_Tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 17:16   421160   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 17:38   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\EasyBits For Kids\\Programs\\My First Browser\\MyFirstBrowser.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [04/02/2011 10:16 697328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 ezSharedSvc;Easybits Services for Windows;c:\windows\System32\ezSharedSvcHost.exe [10/02/2011 17:36 514232]
R3 PGEffect;Pangu effect driver;c:\windows\system32\drivers\PGEffect.sys [29/12/2010 10:20 24064]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [24/12/2010 20:14 136176]
S2 KMService;KMService;c:\windows\system32\srvany.exe [29/12/2010 15:14 8192]
S2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe --> c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [20/12/2010 16:31 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [09/05/2011 12:00 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [09/05/2011 12:00 8456]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [24/12/2010 20:14 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [24/06/2011 12:32 39984]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 11:25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 22:37 4640000]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [20/12/2010 16:32 165888]
S3 RTL8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [20/12/2010 17:01 869920]
S3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A8D647C8-65AC-409F-B7B2-3C0FEE1A32F2}]
2010-02-16 19:02   114688   ----a-w-   c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 19:14]
.
2011-06-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-24 19:14]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
FF - ProfilePath - c:\documents and settings\Emma\Application Data\Mozilla\Firefox\Profiles\o3q00d4i.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.quidco.com/home/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Password Exporter: {B17C1C5A-04B1-11DB-9804-B622A1EF5492} - %profile%\extensions\{B17C1C5A-04B1-11DB-9804-B622A1EF5492}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-MagicDisc 2.7.106 - c:\progra~1\MAGICD~1\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-26 13:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(936)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(2316)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\EZUPBH~1.DLL
.
Completion time: 2011-06-26 13:18:16
ComboFix-quarantined-files.txt 2011-06-26 12:17
.
Pre-Run: 10,060,849,152 bytes free
Post-Run: 10,065,776,640 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 669C20A7574D44C8BFDFDA109F81A981

SuperDave · « **Reply #3 on:** June 26, 2011, 05:35:03 PM »

I'm not finding very much on this computer. One more scan, please.

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

random bits · « **Reply #4 on:** June 27, 2011, 03:57:03 AM »

here you go Dave, it took 3 attempts and a restart for root repeal to complete the scan. it kept closing due to an error.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2011/06/27 10:22
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAABE2000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA634000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: PCI_PNP0864
Image Path: \Driver\PCI_PNP0864
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6C4E000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: spoc.sys
Image Path: spoc.sys
Address: 0xB9EAE000   Size: 1019904   File Visible: No   Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000   Size: 0   File Visible: No   Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Program Files\MagicDisc
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\MagicDisc\*
Status: Could not enumerate files with the Windows API (0x00000017)!

Path: C:\Program Files\MagicDisc\INSTALL.LOG
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\MagicDisc.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\mcdbus.cat
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\mcdbus.inf
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\mcdbus.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\mInstNt.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\muninst.exe
Status: Invisible to the Windows API!

Path: C:\Program Files\MagicDisc\UNWISE.EXE
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine
Status: Locked to the Windows API!

Path: C:\Program Files\Atari\RollerCoaster Tycoon® 3\gui\Dutch.unique.ovl
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7DB21171-4E7F-4FB1-850B-E5D0A8FE3101.data
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\7DB21171-4E7F-4FB1-850B-E5D0A8FE3101.data.info
Status: Invisible to the Windows API!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\languages
Status: Locked to the Windows API!

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd
Status: Invisible to the Windows API!

Path: \\?\C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\languages\*
Status: Could not enumerate files with the Windows API (0x00000017)!

Path: C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\languages\SK-FRA-L1-NA-PE-NA-NA-Y-3.7.1.0.r29.txt
Status: Invisible to the Windows API!

Path: \\?\C:\Program Files\COMODO\COMODO Internet Security\Quarantine\Temp\baseupd\*
Status: Could not enumerate files with the Windows API (0x00000005)!

Path: C:\Documents and Settings\All Users\Application Data\Rosetta Stone\Content\data\95\8\958005c76dc8a1d64242a92dd424d362926a36ea
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 011   Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b8b2

#: 031   Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ae48

#: 037   Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b518

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2c126

#: 046   Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ad28

#: 050   Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2e1e0

#: 052   Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2e568

#: 053   Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2a714

#: 063   Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ba9e

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2bc9e

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2a51a

#: 071   Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2c864

#: 073   Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2caba

#: 097   Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2dbf0

#: 105   Function Name: NtMakeTemporaryObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b110

#: 116   Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b6f4

#: 119   Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2c116

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2a148

#: 125   Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b3b4

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2a34c

#: 160   Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ccc8

#: 161   Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2d11c

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ceda

#: 192   Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2c67c

#: 200   Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2d68c

#: 210   Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2d940

#: 237   Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2beee

#: 240   Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2dee8

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2c3f4

#: 249   Function Name: NtShutdownSystem
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b07a

#: 255   Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2b2a0

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ab2a

#: 258   Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2a918

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System   Address: 0x8a4a61f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System   Address: 0x8a45f1f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System   Address: 0x8a5161f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System   Address: 0x8a25e1f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_CREATE]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_CLOSE]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_POWER]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: al6aswrbЅఆ浍瑓ᣂ๳, IRP_MJ_PNP]
Process: System   Address: 0x8a3311f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System   Address: 0x8a4a81f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System   Address: 0x899521f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System   Address: 0x899521f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x899521f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x899521f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System   Address: 0x899521f8   Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System   Address: 0x899521f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System   Address: 0x8a3481f8   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System   Address: 0x8992f470   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_CREATE]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_CLOSE]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_READ]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_CLEANUP]
Process: System   Address: 0x899191f8   Size: 121

Object: Hidden Code [Driver: CdfsЅ灐畳Ёఇ浗灩, IRP_MJ_PNP]
Process: System   Address: 0x899191f8   Size: 121

Shadow SSDT
-------------------
#: 013   Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30788

#: 122   Function Name: NtGdiDeleteObjectApp
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae31034

#: 227   Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae308c8

#: 233   Function Name: NtGdiOpenDCW
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30eee

#: 237   Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30a14

#: 292   Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30b54

#: 310   Function Name: NtUserBlockInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30600

#: 319   Function Name: NtUserCallHwndParamLock
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2f648

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae302a6

#: 389   Function Name: NtUserGetClipboardData
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30c9a

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2ffee

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30142

#: 460   Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2fc78

#: 465   Function Name: NtUserMoveWindow
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2f344

#: 475   Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2f902

#: 476   Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2fabc

#: 490   Function Name: NtUserRegisterHotKey
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30dbe

#: 491   Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae3040a

#: 502   Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2fe80

#: 509   Function Name: NtUserSetClipboardViewer
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae30508

#: 529   Function Name: NtUserSetParent
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2f4d4

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae31072

#: 552   Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae31308

#: 559   Function Name: NtUserSystemParametersInfo
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xaae2f7e6

==EOF==

SuperDave · « **Reply #5 on:** June 27, 2011, 01:33:14 PM »

AVENGER

Download The Avenger by Swandog46 from here.
Unzip/extract it to a folder on your desktop.
Double click on avenger.exe to run The Avenger.
Click OK.
Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
Click the Execute button.
You will be asked No script has been entered. Do you want to execute a rootkit scan only?.
Click Yes.
You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
Click Yes.
Your PC will now be rebooted.
After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
Please post this log in your next reply.

random bits · « **Reply #6 on:** June 27, 2011, 04:41:23 PM »

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

all these scans etc and i am still having the same sound issues,its very puzzling, am going to de-frag again 2nite and i have done some housekeeping and cleaned up c drive.

SuperDave · « **Reply #7 on:** June 27, 2011, 07:18:52 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

random bits · « **Reply #8 on:** June 28, 2011, 05:01:22 PM »

it found 2 files both of which I alread knew about and have been on my laptop for months.

Documents\MediaMonkey\Keygen CORE\keygen.exe a variant of Win32/Keygen.AG application
Documents\Microsoft.Office.2010.mini-KMS.Activator.v1.053-PDU\Microsoft.Office.2010.mini-KMS.Activator.v1.053-PDU.rar a variant of Win32/HackKMS.A application

SuperDave · « **Reply #9 on:** June 28, 2011, 05:07:50 PM »

Please run the scan again and have ESET fix those two infections.

random bits · « **Reply #10 on:** June 29, 2011, 03:59:11 AM »

the scan took 13 hours and my laptop was running very hot. can i not just delete them?

SuperDave · « **Reply #11 on:** June 29, 2011, 04:58:33 PM »

Quote from: random bits on June 29, 2011, 03:59:11 AM

the scan took 13 hours and my laptop was running very hot. can i not just delete them?

Yes, if you can. Try running ESET again afterwards. It shouldn't take that long.

random bits · « **Reply #12 on:** June 30, 2011, 01:44:14 AM »

thank you for your help. I am away for a few days now but will continue on my return.

I have noticed that the sound is normal when the shut dwn jingle plays, its the only time it is normal!

SuperDave · « **Reply #13 on:** June 30, 2011, 04:59:58 PM »

Quote

I have noticed that the sound is normal when the shut dwn jingle plays, its the only time it is normal!

I don't believe that this is caused by an infection. You may have to get help for this on one of the software forums after we're completed.

random bits · « **Reply #14 on:** July 12, 2011, 07:45:08 AM »

Hi Dave, I'm back, I have been very busy so have not had time to do anything for a while.
I had some time this morning so I thought I would boot into safe mode and run the scans (as the sound is fine on shut down but not on start up) but after starting the scan about 2 mins in it just shuts down, completly off as though the power button has been held down??
am beggining to think i just need to format and re-install

such a pain

SuperDave · « **Reply #15 on:** July 12, 2011, 01:28:51 PM »

It sounds more like a hardware problem than anything else. Please download and install Speedfan to check your computer's temperatures.

SpeedFan

random bits · « **Reply #16 on:** July 13, 2011, 09:12:02 AM »

what would you like me to do with it now i have dwnloaded it?? it is reading hd @ 43c and core @ 68c fans 1,2 and 3 at 0 rpm.

SuperDave · « **Reply #17 on:** July 13, 2011, 05:48:41 PM »

Quote

it is reading hd @ 43c and core @ 68c fans 1,2 and 3 at 0 rpm.

Please check this against the specs for your hardrive. Just search your harddrive make and compare your findings with the specs the manufacturers temperatures. Is it still shutting down?

random bits · « **Reply #18 on:** July 14, 2011, 03:46:19 AM »

it only shut down when running the scans in safe mode. hasn't done it since.

this is my laptop, no info about running temp tho. would the temp really just affect the sound and video?

http://uk.computers.toshiba-europe.com/innovation/jsp/SUPPORTSECTION/discontinuedProductPage.do?service=UK&toshibaShop=false&com.broadvision.session.new=Yes&PRODUCT_ID=1084336

SuperDave · « **Reply #19 on:** July 14, 2011, 04:45:56 PM »

Quote

would the temp really just affect the sound and video?

No, but it will cause the computer to shut down. I don't feel that this is a malware problem as we've already ran some scans and cleaned up some infections. Do you have your OS disk?

Right-click My Computer, select Properties, Advanced, Hardware, Device Manager and tell me if you see any yellow warnings there. Also, click on the Sound, video and game controllers and see if there are any there.

random bits · « **Reply #20 on:** July 15, 2011, 02:09:27 AM »

no there are no drivers that need updating, i have checked them all. they hadn't been ypdated recently either so I cant roll them back.

SuperDave · « **Reply #21 on:** July 15, 2011, 05:01:19 PM »

Ok. Let's try checking for corrupted files.Please do this even if you don't have an OS disk. If it requests that you insert the disk, it probably means there's a corrupted file or a file is missing. In the meantime, I'm going to check on something else.

Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

random bits · « **Reply #22 on:** July 16, 2011, 04:05:08 AM »

"files that are required for windows to run properly must be copied to the dll cahce
insert you windows xp professional cd-rom now."
I dont have a cd. my os was re-installed by an it company last november after a friend had an accident with it!

this error box kept coming up, so i had to cancel the process.
does this mean I am going to have to re-install windows somehow?

SuperDave · « **Reply #23 on:** July 16, 2011, 01:39:02 PM »

Quote

does this mean I am going to have to re-install windows somehow?

It's possible. There appears to be something wrong with the OS files. Is it possible to borrow a Microsoft Windows XP Professional 5.1 disk from someone?
Please do this for me. When you boot your computer, listen and record the beeps that your getting and tell me what they are.

random bits · « **Reply #24 on:** July 16, 2011, 02:48:13 PM »

no beeps at all.

SuperDave · « **Reply #25 on:** July 18, 2011, 01:13:34 PM »

If the computer is booting normally, you should get one beep. Do you notice any unusual noise or odors from the computer?

random bits · « **Reply #26 on:** July 18, 2011, 01:48:39 PM »

no, it smells hot but nothing else, tbh have never heard a post beep from it, I didnt think laptops did that?

SuperDave · « **Reply #27 on:** July 18, 2011, 05:38:45 PM »

Quote

I didnt think laptops did that?

Sorry, I forgot it was a laptop. I checked the temps on my laptop and 68 deg. seems high for the core. When you ran SpeedFan, did you notice if any temps were in red? Is the sound problem still there?

random bits · « **Reply #28 on:** July 19, 2011, 03:03:14 AM »

no temps in red, and yep still have sound problem.

SuperDave · « **Reply #29 on:** July 19, 2011, 04:56:02 PM »

Quote

no temps in red, and yep still have sound problem.

Well, the only thing I can see to do is try to borrow an OS disk and run SFC. Here's a link to help with cleaning your laptop.

random bits · « **Reply #30 on:** July 20, 2011, 02:00:17 AM »

Thank you for the Link Dave, I had the laptop apart last week (that was fun!!) and cleaned the fan there wasn't a lot of dust in there tho which surprised me. I am gona have to ask the company who re-installed for a disc.
thanks for all your work on this matter.

random bits · « **Reply #31 on:** July 27, 2011, 06:11:54 AM »

Hi Dave I have been trying to reinstall windows but it gets to the point of formatting the hard drive and shuts down?? also the disc I have is not suitable for the sfc /scannow as it says it is a different disc. am at a loss here as to what to do?

SuperDave · « **Reply #32 on:** July 27, 2011, 05:35:04 PM »

It would appear that there could be something defective with your harddrive or some other some other component of your computer. Please try running a diagnostic on your harddrive.

Run hard drive diagnostics: tacktech.com
Make sure, you select tool, which is appropriate for the brand of your hard drive.
Depending on the program, it'll create bootable floppy, or bootable CD.
If downloaded file is of .iso type, use ImgBurn: imgburn to burn .iso file to a CD (select "Write image file to disc" option), and make the CD bootable.
For Toshiba hard drives, see here:

Note : If you do not know how to set your computer to boot from CD follow the steps here

Computer Hope Forum

News:

Author Topic: sound and video jittery- suspected malware?? (Read 14242 times)

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

SuperDave

random bits

random bits

SuperDave