Jump to content

toshibalaptop

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. If this virus has disappeared, I don't understand how ... ComboFix 09-03-22.01 - Mehnaz 2009-03-22 22:15:55.1 - NTFSx86 Microsoft
  2. Some very strange things are happening on my laptop. I did not delete anything, other than the one you mentioned above by right-clicking on that file and having that error message come up about not being able to retrieve the file. *confused* For starters, the internet connection is back up. For the past week, it's been saying unable to find DHCP, Host Process for Windows Services Stopped Working and was Closed, and an error message from Norton Anti-Virus kept coming up. Now, when I click on the internet, I am able to come online. Norton Anti-Virus message popped up saying my service needs to be reactivated (so I did that), and that Host Process message is not showing up. Not sure what happened. I ran 3 scans including HijackThis. I will post the logs for you to analyze. Oh, one message that popped up during the HijackThis log was that it could not access the Host Files, so if anything needs to be deleted in that, I need to go in and do it myself. I would appreciate you having a look at these logs and letting me know if anything needs to be deleted. Thanks GMER: GMER 1.0.15.14944 - http://www.gmer.net Rootkit scan 2009-03-22 13:51:58 Windows 6.0.6001 Service Pack 1 ---- System - GMER 1.0.15 ---- SSDT 8714BF40 ZwAlertResumeThread SSDT 87166E28 ZwAlertThread SSDT 871AE3D8 ZwAllocateVirtualMemory SSDT 8714DA60 ZwConnectPort SSDT 8714BC90 ZwCreateMutant SSDT 871AE730 ZwCreateThread SSDT 871B13B8 ZwFreeVirtualMemory SSDT 8714BD80 ZwImpersonateAnonymousToken SSDT 8714BE60 ZwImpersonateThread SSDT 871B12D8 ZwMapViewOfSection SSDT 8714BAF0 ZwOpenEvent SSDT 8718E150 ZwOpenProcessToken SSDT 871AEE48 ZwOpenThreadToken SSDT 87194770 ZwResumeThread SSDT 871AED68 ZwSetContextThread SSDT 871AEF38 ZwSetInformationProcess SSDT 871AEC78 ZwSetInformationThread SSDT 8714BA10 ZwSuspendProcess SSDT 87166F70 ZwSuspendThread SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8D3A5F20] SSDT 871AEB98 ZwTerminateThread SSDT 871B1218 ZwUnmapViewOfSection SSDT 871AE308 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!KeInsertQueue + 30D 81C89904 8 Bytes [40, BF, 14, 87, 28, 6E, 16, ...] .text ntoskrnl.exe!KeInsertQueue + 321 81C89918 4 Bytes [D8, E3, 1A, 87] .text ntoskrnl.exe!KeInsertQueue + 3B1 81C899A8 4 Bytes [60, DA, 14, 87] {PUSHA ; FICOM DWORD [EDI+EAX*4]} .text ntoskrnl.exe!KeInsertQueue + 3E5 81C899DC 4 Bytes [90, BC, 14, 87] .text ntoskrnl.exe!KeInsertQueue + 411 81C89A08 4 Bytes [30, E7, 1A, 87] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[1340] ntdll.dll!DbgBreakPoint 77907DFE 1 Byte [90] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device InCDFs.sys (InCD File System Driver/Nero AG) ---- EOF - GMER 1.0.15 ---- MBAM: Malwarebytes' Anti-Malware 1.34 Database version: 1863 Windows 6.0.6001 Service Pack 1 21/03/2009 7:33:02 PM mbam-log-2009-03-21 (19-33-02).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 182495 Time elapsed: 2 hour(s), 30 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) HijackThis: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:25:44 PM, on 21/03/2009 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskeng.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe C:\Program Files\TOSHIBA\Utilities\KeNotify.exe C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe C:\Program Files\ltmoh\ltmoh.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PCM4Everio\EverioService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Yahoo!\YOP\yop.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe C:\Program Files\Nero\Nero 7\InCD\InCD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Google\Gmail Notifier\gnotify.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Users\Mehnaz\Program Files\DNA\btdna.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\SUPERAntiSpyware\14e5a4ef-e810-471e-95a5-626793248a3c.exe C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\Synaptics\SynTP\SynToshiba.exe C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe C:\Windows\system32\conime.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Windows\system32\SearchFilterHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O1 - Hosts: ::1 localhost O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe" O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP O4 - HKLM\..\Run: [sVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe O4 - HKLM\..\Run: [smoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Users\Mehnaz\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\14e5a4ef-e810-471e-95a5-626793248a3c.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe (User 'Default user') O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.ca/s/v/46.19/uploader2.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/...NPUplden-ca.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: Rogers Update Manager (RogersUpdateManager) - Rogers Cable Communications - C:\Program Files\Rogers\Update Manager\RogersUpdateManager.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 12270 bytes
  3. I ran GMER again and right-clicked on the file specified. An error message came up saying, "failed, couldn't find the specified location" .... I'm running GMER again, after rebooting, and will post the log results here. MBAM probably isn't updating because I'm not connected to the internet on the infected computer. I was told that the virus could possibly come back if connection to the internet remains open. I tried loading MBAM onto the desktop and transfer it onto the infected laptop, but it won't open in the laptop. Will try again. Thanks for your help.
  4. Hi I am having a lot of problems with a nasty virus on my Laptop. I've been getting advice and trying different options and programs to get rid of this virus, which you can read on the link below. It will give you insight as to the different methods I have tried thus far. The individual who was helping me on that board asked me to come here: http://www.bleepingcomputer.com/forums/topic212353.html At this point, I have run GMER, MalwareBytes, DDS and Root Repeal. I will post the latest logs. MalwareBytes is now showing up "malicious virus" free ... but when I run GMER, this gaopdxserv.sys is still appearing. I have run RootRepeal but I don't see it in the log and I have no clue what to delete. Can someone please help me? Here are the logs: GMER 1.0.15.14944 - http://www.gmer.net Rootkit scan 2009-03-21 16:17:28 Windows 6.0.6001 Service Pack 1 ---- System - GMER 1.0.15 ---- SSDT 872A1400 ZwAlertResumeThread SSDT 872A14C0 ZwAlertThread SSDT 87205E70 ZwAllocateVirtualMemory SSDT 870B6608 ZwConnectPort SSDT 872059F8 ZwCreateMutant SSDT 87205180 ZwCreateThread SSDT 87205CD0 ZwFreeVirtualMemory SSDT 87205AC8 ZwImpersonateAnonymousToken SSDT 872A1340 ZwImpersonateThread SSDT 871C82C8 ZwMapViewOfSection SSDT 87205938 ZwOpenEvent SSDT 871F12F0 ZwOpenProcessToken SSDT 870B7810 ZwOpenThreadToken SSDT 872195B0 ZwResumeThread SSDT 871A5C88 ZwSetContextThread SSDT 870B78E0 ZwSetInformationProcess SSDT 8719EDF0 ZwSetInformationThread SSDT 87205878 ZwSuspendProcess SSDT 8719ECA8 ZwSuspendThread SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8CFA7F20] SSDT 870B76C8 ZwTerminateThread SSDT 870B5C88 ZwUnmapViewOfSection SSDT 87205DA0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!KeInsertQueue + 30D 81C85904 8 Bytes [00, 14, 2A, 87, C0, 14, 2A, ...] .text ntoskrnl.exe!KeInsertQueue + 321 81C85918 4 Bytes [70, 5E, 20, 87] .text ntoskrnl.exe!KeInsertQueue + 3B1 81C859A8 4 Bytes [08, 66, 0B, 87] .text ntoskrnl.exe!KeInsertQueue + 3E5 81C859DC 4 Bytes [F8, 59, 20, 87] .text ntoskrnl.exe!KeInsertQueue + 411 81C85A08 4 Bytes [80, 51, 20, 87] {ADC BYTE [ECX+0x20], 0x87} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe[2304] ntdll.dll!DbgBreakPoint 76E27DFE 1 Byte [90] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device InCDFs.sys (InCD File System Driver/Nero AG) ---- Services - GMER 1.0.15 ---- Service system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys (*** hidden *** ) [sYSTEM] gaopdxserv.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrchcrmtxriwjqvhvojeqmaiibquprvro.dll Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1 Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1 Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxwfnsoqfwixepomthbqbypgmerxhpqxiu.sys Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxrchcrmtxriwjqvhvojeqmaiibquprvro.dll ---- EOF - GMER 1.0.15 ---- ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/03/21 21:48 Program Version: Version 1.2.3.0 Windows Version: Windows Vista SP1 ================================================== Drivers------------------- Name: 1394BUS.SYS Image Path: C:\Windows\system32\DRIVERS\1394BUS.SYS Address: 0x8C328000 Size: 57344 File Visible: - Status: - Name: acpi.sys Image Path: C:\Windows\system32\drivers\acpi.sys Address: 0x8262D000 Size: 286720 File Visible: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x81C18000 Size: 3842048 File Visible: - Status: - Name: afd.sys Image Path: C:\Windows\system32\drivers\afd.sys Address: 0x8CE7B000 Size: 294912 File Visible: - Status: - Name: AGRSM.sys Image Path: C:\Windows\system32\DRIVERS\AGRSM.sys Address: 0x8CC02000 Size: 1161888 File Visible: - Status: - Name: atapi.sys Image Path: C:\Windows\system32\drivers\atapi.sys Address: 0x8277C000 Size: 32768 File Visible: - Status: - Name: ataport.SYS Image Path: C:\Windows\system32\drivers\ataport.SYS Address: 0x82784000 Size: 122880 File Visible: - Status: - Name: ATMFD.DLL Image Path: C:\Windows\System32\ATMFD.DLL Address: 0x95250000 Size: 311296 File Visible: - Status: - Name: BATTC.SYS Image Path: C:\Windows\system32\DRIVERS\BATTC.SYS Address: 0x826C7000 Size: 40960 File Visible: - Status: - Name: Beep.SYS Image Path: C:\Windows\System32\Drivers\Beep.SYS Address: 0x8CD3B000 Size: 28672 File Visible: - Status: - Name: BOOTVID.dll Image Path: C:\Windows\system32\BOOTVID.dll Address: 0x8247B000 Size: 32768 File Visible: - Status: - Name: bowser.sys Image Path: C:\Windows\system32\DRIVERS\bowser.sys Address: 0x8DA4A000 Size: 102400 File Visible: - Status: - Name: cdd.dll Image Path: C:\Windows\System32\cdd.dll Address: 0x95240000 Size: 57344 File Visible: - Status: - Name: cdfs.sys Image Path: C:\Windows\system32\DRIVERS\cdfs.sys Address: 0xAB636000 Size: 90112 File Visible: - Status: - Name: cdrom.sys Image Path: C:\Windows\system32\DRIVERS\cdrom.sys Address: 0x8C3DC000 Size: 98304 File Visible: - Status: - Name: CI.dll Image Path: C:\Windows\system32\CI.dll Address: 0x824C4000 Size: 917504 File Visible: - Status: - Name: CLASSPNP.SYS Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS Address: 0x880DB000 Size: 135168 File Visible: - Status: - Name: CLFS.SYS Image Path: C:\Windows\system32\CLFS.SYS Address: 0x82483000 Size: 266240 File Visible: - Status: - Name: CmBatt.sys Image Path: C:\Windows\system32\DRIVERS\CmBatt.sys Address: 0x8C37E000 Size: 14208 File Visible: - Status: - Name: compbatt.sys Image Path: C:\Windows\system32\DRIVERS\compbatt.sys Address: 0x826C4000 Size: 10496 File Visible: - Status: - Name: crashdmp.sys Image Path: C:\Windows\System32\Drivers\crashdmp.sys Address: 0x8D860000 Size: 53248 File Visible: - Status: - Name: crcdisk.sys Image Path: C:\Windows\system32\drivers\crcdisk.sys Address: 0x880FC000 Size: 36864 File Visible: - Status: - Name: dfsc.sys Image Path: C:\Windows\System32\Drivers\dfsc.sys Address: 0x8D808000 Size: 94208 File Visible: - Status: - Name: disk.sys Image Path: C:\Windows\system32\drivers\disk.sys Address: 0x880CA000 Size: 69632 File Visible: - Status: - Name: drmk.sys Image Path: C:\Windows\system32\drivers\drmk.sys Address: 0x8CAF0000 Size: 151552 File Visible: - Status: - Name: dump_atapi.sys Image Path: C:\Windows\System32\Drivers\dump_atapi.sys Address: 0x8D878000 Size: 32768 File Visible: No Status: - Name: dump_dumpata.sys Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys Address: 0x8D86D000 Size: 45056 File Visible: No Status: - Name: Dxapi.sys Image Path: C:\Windows\System32\drivers\Dxapi.sys Address: 0x8D880000 Size: 40960 File Visible: - Status: - Name: dxgkrnl.sys Image Path: C:\Windows\System32\drivers\dxgkrnl.sys Address: 0x8C1EE000 Size: 651264 File Visible: - Status: - Name: ecache.sys Image Path: C:\Windows\System32\drivers\ecache.sys Address: 0x880A3000 Size: 159744 File Visible: - Status: - Name: eeCtrl.sys Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys Address: 0x8CB97000 Size: 385024 File Visible: - Status: - Name: EraserUtilRebootDrv.sys Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys Address: 0x8CFD1000 Size: 118784 File Visible: - Status: - Name: fastfat.SYS Image Path: C:\Windows\System32\Drivers\fastfat.SYS Address: 0xAB679000 Size: 163840 File Visible: - Status: - Name: fileinfo.sys Image Path: C:\Windows\system32\drivers\fileinfo.sys Address: 0x827D4000 Size: 65536 File Visible: - Status: - Name: fltmgr.sys Image Path: C:\Windows\system32\drivers\fltmgr.sys Address: 0x827A2000 Size: 204800 File Visible: - Status: - Name: Fs_Rec.SYS Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS Address: 0x8CD2B000 Size: 36864 File Visible: - Status: - Name: fwpkclnt.sys Image Path: C:\Windows\System32\drivers\fwpkclnt.sys Address: 0x87EC8000 Size: 110592 File Visible: - Status: - Name: GEARAspiWDM.sys Image Path: C:\Windows\System32\Drivers\GEARAspiWDM.sys Address: 0x8C3F4000 Size: 28672 File Visible: - Status: - Name: hal.dll Image Path: C:\Windows\system32\hal.dll Address: 0x81FC2000 Size: 208896 File Visible: - Status: - Name: HDAudBus.sys Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys Address: 0x8C29A000 Size: 73728 File Visible: - Status: - Name: HTTP.sys Image Path: C:\Windows\system32\drivers\HTTP.sys Address: 0x8D9C2000 Size: 438272 File Visible: - Status: - Name: i8042prt.sys Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys Address: 0x8C382000 Size: 77824 File Visible: - Status: - Name: IDSvix86.sys Image Path: C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20090311.001\IDSvix86.sys Address: 0x8CB51000 Size: 286720 File Visible: - Status: - Name: igdkmd32.sys Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys Address: 0x8BC09000 Size: 6180864 File Visible: - Status: - Name: InCDFs.sys Image Path: C:\Windows\system32\drivers\InCDFs.sys Address: 0x8CD82000 Size: 112384 File Visible: - Status: - Name: InCDPass.sys Image Path: C:\Windows\system32\drivers\InCDPass.sys Address: 0x8BC00000 Size: 31360 File Visible: - Status: - Name: InCDrec.SYS Image Path: C:\Windows\System32\Drivers\InCDrec.SYS Address: 0x8CD7F000 Size: 10624 File Visible: - Status: - Name: InCDRm.sys Image Path: C:\Windows\system32\drivers\InCDRm.sys Address: 0x88377000 Size: 33792 File Visible: - Status: - Name: intelide.sys Image Path: C:\Windows\system32\drivers\intelide.sys Address: 0x8272A000 Size: 28672 File Visible: - Status: - Name: intelppm.sys Image Path: C:\Windows\system32\DRIVERS\intelppm.sys Address: 0x88139000 Size: 61440 File Visible: - Status: - Name: jrasvktk.sys Image Path: C:\Users\Mehnaz\AppData\Local\Temp\jrasvktk.sys Address: 0xAB653000 Size: 81664 File Visible: No Status: - Name: kbdclass.sys Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys Address: 0x8C395000 Size: 45056 File Visible: - Status: - Name: kdcom.dll Image Path: C:\Windows\system32\kdcom.dll Address: 0x82402000 Size: 32768 File Visible: - Status: - Name: ks.sys Image Path: C:\Windows\system32\DRIVERS\ks.sys Address: 0x8C895000 Size: 172032 File Visible: - Status: - Name: ksecdd.sys Image Path: C:\Windows\System32\Drivers\ksecdd.sys Address: 0x87C00000 Size: 462848 File Visible: - Status: - Name: lltdio.sys Image Path: C:\Windows\system32\DRIVERS\lltdio.sys Address: 0x8D96B000 Size: 65536 File Visible: - Status: - Name: LPCFilter.sys Image Path: C:\Windows\system32\DRIVERS\LPCFilter.sys Address: 0x826AB000 Size: 40960 File Visible: - Status: - Name: luafv.sys Image Path: C:\Windows\system32\drivers\luafv.sys Address: 0x8D899000 Size: 110592 File Visible: - Status: - Name: mcupdate_GenuineIntel.dll Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll Address: 0x8240A000 Size: 393216 File Visible: - Status: - Name: modem.sys Image Path: C:\Windows\system32\drivers\modem.sys Address: 0x8CD1E000 Size: 53248 File Visible: - Status: - Name: monitor.sys Image Path: C:\Windows\system32\DRIVERS\monitor.sys Address: 0x8D88A000 Size: 61440 File Visible: - Status: - Name: mouclass.sys Image Path: C:\Windows\system32\DRIVERS\mouclass.sys Address: 0x8C3CD000 Size: 45056 File Visible: - Status: - Name: mountmgr.sys Image Path: C:\Windows\System32\drivers\mountmgr.sys Address: 0x8276C000 Size: 65536 File Visible: - Status: - Name: mpsdrv.sys Image Path: C:\Windows\System32\drivers\mpsdrv.sys Address: 0x8DA63000 Size: 86016 File Visible: - Status: - Name: mrxdav.sys Image Path: C:\Windows\system32\drivers\mrxdav.sys Address: 0x8DA78000 Size: 131072 File Visible: - Status: - Name: mrxsmb.sys Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys Address: 0x8DA98000 Size: 126976 File Visible: - Status: - Name: mrxsmb10.sys Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys Address: 0x8DAB7000 Size: 233472 File Visible: - Status: - Name: mrxsmb20.sys Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys Address: 0x8DAF0000 Size: 98304 File Visible: - Status: - Name: Msfs.SYS Image Path: C:\Windows\System32\Drivers\Msfs.SYS Address: 0x8CD9E000 Size: 45056 File Visible: - Status: - Name: msisadrv.sys Image Path: C:\Windows\system32\drivers\msisadrv.sys Address: 0x8267C000 Size: 32768 File Visible: - Status: - Name: msiscsi.sys Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys Address: 0x88380000 Size: 188416 File Visible: - Status: - Name: msrpc.sys Image Path: C:\Windows\system32\drivers\msrpc.sys Address: 0x87D7C000 Size: 176128 File Visible: - Status: - Name: mssmbios.sys Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys Address: 0x8C8BF000 Size: 40960 File Visible: - Status: - Name: mup.sys Image Path: C:\Windows\System32\Drivers\mup.sys Address: 0x88094000 Size: 61440 File Visible: - Status: - Name: NAVENG.SYS Image Path: C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090317.006\NAVENG.SYS Address: 0xAB621000 Size: 82400 File Visible: - Status: - Name: NAVEX15.SYS Image Path: C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20090317.006\NAVEX15.SYS Address: 0xAB54C000 Size: 869440 File Visible: - Status: - Name: ndis.sys Image Path: C:\Windows\system32\drivers\ndis.sys Address: 0x87C71000 Size: 1093632 File Visible: - Status: - Name: ndistapi.sys Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys Address: 0x8C81D000 Size: 45056 File Visible: - Status: - Name: ndisuio.sys Image Path: C:\Windows\system32\DRIVERS\ndisuio.sys Address: 0x8D9A5000 Size: 40960 File Visible: - Status: - Name: ndiswan.sys Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys Address: 0x8C828000 Size: 143360 File Visible: - Status: - Name: NDProxy.SYS Image Path: C:\Windows\System32\Drivers\NDProxy.SYS Address: 0x8C90A000 Size: 69632 File Visible: - Status: - Name: netbios.sys Image Path: C:\Windows\system32\DRIVERS\netbios.sys Address: 0x8CF0B000 Size: 57344 File Visible: - Status: - Name: netbt.sys Image Path: C:\Windows\System32\DRIVERS\netbt.sys Address: 0x8CEC3000 Size: 204800 File Visible: - Status: - Name: NETIO.SYS Image Path: C:\Windows\system32\drivers\NETIO.SYS Address: 0x87DA7000 Size: 237568 File Visible: - Status: - Name: NETw4v32.sys Image Path: C:\Windows\system32\DRIVERS\NETw4v32.sys Address: 0x88148000 Size: 2289664 File Visible: - Status: - Name: Npfs.SYS Image Path: C:\Windows\System32\Drivers\Npfs.SYS Address: 0x8CDA9000 Size: 57344 File Visible: - Status: - Name: nsiproxy.sys Image Path: C:\Windows\system32\drivers\nsiproxy.sys Address: 0x8CFC7000 Size: 40960 File Visible: - Status: - Name: Ntfs.sys Image Path: C:\Windows\System32\Drivers\Ntfs.sys Address: 0x87EE3000 Size: 1110016 File Visible: - Status: - Name: ntoskrnl.exe Image Path: C:\Windows\system32\ntoskrnl.exe Address: 0x81C18000 Size: 3842048 File Visible: - Status: - Name: Null.SYS Image Path: C:\Windows\System32\Drivers\Null.SYS Address: 0x8CD34000 Size: 28672 File Visible: - Status: - Name: nwifi.sys Image Path: C:\Windows\system32\DRIVERS\nwifi.sys Address: 0x8D97B000 Size: 172032 File Visible: - Status: - Name: ohci1394.sys Image Path: C:\Windows\system32\DRIVERS\ohci1394.sys Address: 0x8C318000 Size: 61952 File Visible: - Status: - Name: pacer.sys Image Path: C:\Windows\system32\DRIVERS\pacer.sys Address: 0x8CEF5000 Size: 90112 File Visible: - Status: - Name: partmgr.sys Image Path: C:\Windows\System32\drivers\partmgr.sys Address: 0x826B5000 Size: 61440 File Visible: - Status: - Name: pci.sys Image Path: C:\Windows\system32\drivers\pci.sys Address: 0x82684000 Size: 159744 File Visible: - Status: - Name: PCIIDEX.SYS Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS Address: 0x82731000 Size: 57344 File Visible: - Status: - Name: pcmcia.sys Image Path: C:\Windows\system32\DRIVERS\pcmcia.sys Address: 0x8273F000 Size: 184320 File Visible: - Status: - Name: peauth.sys Image Path: C:\Windows\system32\drivers\peauth.sys Address: 0xAB40F000 Size: 909312 File Visible: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x81C18000 Size: 3842048 File Visible: - Status: - Name: portcls.sys Image Path: C:\Windows\system32\drivers\portcls.sys Address: 0x8CAC3000 Size: 184320 File Visible: - Status: - Name: PSHED.dll Image Path: C:\Windows\system32\PSHED.dll Address: 0x8246A000 Size: 69632 File Visible: - Status: - Name: PxHelp20.sys Image Path: C:\Windows\System32\Drivers\PxHelp20.sys Address: 0x827E4000 Size: 36320 File Visible: - Status: - Name: rasacd.sys Image Path: C:\Windows\System32\DRIVERS\rasacd.sys Address: 0x8CDB7000 Size: 36864 File Visible: - Status: - Name: rasl2tp.sys Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys Address: 0x8C806000 Size: 94208 File Visible: - Status: - Name: raspppoe.sys Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys Address: 0x8C84B000 Size: 61440 File Visible: - Status: - Name: raspptp.sys Image Path: C:\Windows\system32\DRIVERS\raspptp.sys Address: 0x8C85A000 Size: 81920 File Visible: - Status: - Name: rassstp.sys Image Path: C:\Windows\system32\DRIVERS\rassstp.sys Address: 0x8C86E000 Size: 86016 File Visible: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x81C18000 Size: 3842048 File Visible: - Status: - Name: rdbss.sys Image Path: C:\Windows\system32\DRIVERS\rdbss.sys Address: 0x8CB15000 Size: 245760 File Visible: - Status: - Name: RDPCDD.sys Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys Address: 0x8CD6F000 Size: 32768 File Visible: - Status: - Name: rdpencdd.sys Image Path: C:\Windows\system32\drivers\rdpencdd.sys Address: 0x8CD77000 Size: 32768 File Visible: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0xAB74D000 Size: 45056 File Visible: No Status: - Name: rspndr.sys Image Path: C:\Windows\system32\DRIVERS\rspndr.sys Address: 0x8D9AF000 Size: 77824 File Visible: - Status: - Name: RTKVHDA.sys Image Path: C:\Windows\system32\drivers\RTKVHDA.sys Address: 0x8C91B000 Size: 1733952 File Visible: - Status: - Name: Rtlh86.sys Image Path: C:\Windows\system32\DRIVERS\Rtlh86.sys Address: 0x8C2AC000 Size: 81920 File Visible: - Status: - Name: SASDIFSV.SYS Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Address: 0x8CFC0000 Size: 28672 File Visible: - Status: - Name: SASENUM.SYS Image Path: C:\Program Files\SUPERAntiSpyware\SASENUM.SYS Address: 0xAB64C000 Size: 20480 File Visible: - Status: - Name: SASKUTIL.sys Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys Address: 0x8CF9F000 Size: 135168 File Visible: - Status: - Name: sdbus.sys Image Path: C:\Windows\system32\DRIVERS\sdbus.sys Address: 0x8C364000 Size: 106496 File Visible: - Status: - Name: secdrv.SYS Image Path: C:\Windows\System32\Drivers\secdrv.SYS Address: 0xAB4ED000 Size: 40960 File Visible: - Status: - Name: smb.sys Image Path: C:\Windows\system32\DRIVERS\smb.sys Address: 0x8CE67000 Size: 81920 File Visible: - Status: - Name: SPBBCDrv.sys Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys Address: 0x8CF36000 Size: 430080 File Visible: - Status: - Name: spldr.sys Image Path: C:\Windows\System32\Drivers\spldr.sys Address: 0x8808C000 Size: 32768 File Visible: - Status: - Name: spsys.sys Image Path: C:\Windows\system32\drivers\spsys.sys Address: 0x8D8BC000 Size: 716800 File Visible: - Status: - Name: SRTSP.SYS Image Path: C:\Windows\System32\Drivers\SRTSP.SYS Address: 0xAB503000 Size: 299008 File Visible: - Status: - Name: SRTSPX.SYS Image Path: C:\Windows\System32\Drivers\SRTSPX.SYS Address: 0x8CF2C000 Size: 36992 File Visible: - Status: - Name: srv.sys Image Path: C:\Windows\System32\DRIVERS\srv.sys Address: 0x8DB2F000 Size: 311296 File Visible: - Status: - Name: srv2.sys Image Path: C:\Windows\System32\DRIVERS\srv2.sys Address: 0x8DB08000 Size: 159744 File Visible: - Status: - Name: srvnet.sys Image Path: C:\Windows\System32\DRIVERS\srvnet.sys Address: 0x8DA2D000 Size: 118784 File Visible: - Status: - Name: storport.sys Image Path: C:\Windows\system32\DRIVERS\storport.sys Address: 0x883AE000 Size: 266240 File Visible: - Status: - Name: swenum.sys Image Path: C:\Windows\system32\DRIVERS\swenum.sys Address: 0x8C893000 Size: 4992 File Visible: - Status: - Name: SYMDNS.SYS Image Path: C:\Windows\System32\Drivers\SYMDNS.SYS Address: 0x8CE2E000 Size: 6144 File Visible: - Status: - Name: SYMEVENT.SYS Image Path: C:\Windows\system32\Drivers\SYMEVENT.SYS Address: 0x8CE03000 Size: 151552 File Visible: - Status: - Name: SYMFW.SYS Image Path: C:\Windows\System32\Drivers\SYMFW.SYS Address: 0x8CE3B000 Size: 139392 File Visible: - Status: - Name: SYMIDS.SYS Image Path: C:\Windows\System32\Drivers\SYMIDS.SYS Address: 0x8CE5E000 Size: 33280 File Visible: - Status: - Name: SYMNDISV.SYS Image Path: C:\Windows\System32\Drivers\SYMNDISV.SYS Address: 0x8CE30000 Size: 45056 File Visible: - Status: - Name: SYMREDRV.SYS Image Path: C:\Windows\System32\Drivers\SYMREDRV.SYS Address: 0x8CE28000 Size: 20992 File Visible: - Status: - Name: SYMTDI.SYS Image Path: C:\Windows\System32\Drivers\SYMTDI.SYS Address: 0x8CDD6000 Size: 181248 File Visible: - Status: - Name: SynTP.sys Image Path: C:\Windows\system32\DRIVERS\SynTP.sys Address: 0x8C3A0000 Size: 175360 File Visible: - Status: - Name: tcpip.sys Image Path: C:\Windows\System32\drivers\tcpip.sys Address: 0x87DE1000 Size: 946176 File Visible: - Status: - Name: tcpipreg.sys Image Path: C:\Windows\System32\drivers\tcpipreg.sys Address: 0xAB4F7000 Size: 49152 File Visible: - Status: - Name: tdcmdpst.sys Image Path: C:\Windows\system32\DRIVERS\tdcmdpst.sys Address: 0x8C3D8000 Size: 16128 File Visible: - Status: - Name: TDI.SYS Image Path: C:\Windows\system32\DRIVERS\TDI.SYS Address: 0x883EF000 Size: 45056 File Visible: - Status: - Name: tdx.sys Image Path: C:\Windows\system32\DRIVERS\tdx.sys Address: 0x8CDC0000 Size: 90112 File Visible: - Status: - Name: termdd.sys Image Path: C:\Windows\system32\DRIVERS\termdd.sys Address: 0x8C883000 Size: 65536 File Visible: - Status: - Name: tifm21.sys Image Path: C:\Windows\system32\drivers\tifm21.sys Address: 0x8C336000 Size: 188416 File Visible: - Status: - Name: tos_sps32.sys Image Path: C:\Windows\system32\DRIVERS\tos_sps32.sys Address: 0x88041000 Size: 307200 File Visible: - Status: - Name: TSDDD.dll Image Path: C:\Windows\System32\TSDDD.dll Address: 0x95220000 Size: 36864 File Visible: - Status: - Name: tunmp.sys Image Path: C:\Windows\system32\DRIVERS\tunmp.sys Address: 0x88130000 Size: 36864 File Visible: - Status: - Name: tunnel.sys Image Path: C:\Windows\system32\DRIVERS\tunnel.sys Address: 0x88125000 Size: 45056 File Visible: - Status: - Name: TVALZ_O.SYS Image Path: C:\Windows\system32\DRIVERS\TVALZ_O.SYS Address: 0x8803C000 Size: 16768 File Visible: - Status: - Name: umbus.sys Image Path: C:\Windows\system32\DRIVERS\umbus.sys Address: 0x8C8C9000 Size: 53248 File Visible: - Status: - Name: usbccgp.sys Image Path: C:\Windows\system32\DRIVERS\usbccgp.sys Address: 0x8D81F000 Size: 94208 File Visible: - Status: - Name: USBD.SYS Image Path: C:\Windows\system32\DRIVERS\USBD.SYS Address: 0x8C3CB000 Size: 8192 File Visible: - Status: - Name: usbehci.sys Image Path: C:\Windows\system32\DRIVERS\usbehci.sys Address: 0x8C309000 Size: 61440 File Visible: - Status: - Name: usbhub.sys Image Path: C:\Windows\system32\DRIVERS\usbhub.sys Address: 0x8C8D6000 Size: 212992 File Visible: - Status: - Name: USBPORT.SYS Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS Address: 0x8C2CB000 Size: 253952 File Visible: - Status: - Name: usbuhci.sys Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys Address: 0x8C2C0000 Size: 45056 File Visible: - Status: - Name: usbvideo.sys Image Path: C:\Windows\System32\Drivers\usbvideo.sys Address: 0x8D83F000 Size: 132352 File Visible: - Status: - Name: UVCFTR_S.SYS Image Path: C:\Windows\system32\DRIVERS\UVCFTR_S.SYS Address: 0x8D836000 Size: 36864 File Visible: - Status: - Name: vga.sys Image Path: C:\Windows\System32\drivers\vga.sys Address: 0x8CD42000 Size: 49152 File Visible: - Status: - Name: VIDEOPRT.SYS Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS Address: 0x8CD4E000 Size: 135168 File Visible: - Status: - Name: volmgr.sys Image Path: C:\Windows\system32\drivers\volmgr.sys Address: 0x826D1000 Size: 61440 File Visible: - Status: - Name: volmgrx.sys Image Path: C:\Windows\System32\drivers\volmgrx.sys Address: 0x826E0000 Size: 303104 File Visible: - Status: - Name: volsnap.sys Image Path: C:\Windows\system32\drivers\volsnap.sys Address: 0x88003000 Size: 233472 File Visible: - Status: - Name: wanarp.sys Image Path: C:\Windows\system32\DRIVERS\wanarp.sys Address: 0x8CF19000 Size: 77824 File Visible: - Status: - Name: watchdog.sys Image Path: C:\Windows\System32\drivers\watchdog.sys Address: 0x8C28D000 Size: 53248 File Visible: - Status: - Name: Wdf01000.sys Image Path: C:\Windows\system32\drivers\Wdf01000.sys Address: 0x825A4000 Size: 507904 File Visible: - Status: - Name: WDFLDR.SYS Image Path: C:\Windows\system32\drivers\WDFLDR.SYS Address: 0x82620000 Size: 53248 File Visible: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0x95000000 Size: 2105344 File Visible: - Status: - Name: win32k.sys Image Path: C:\Windows\System32\win32k.sys Address: 0x95000000 Size: 2105344 File Visible: - Status: - Name: WMILIB.SYS Image Path: C:\Windows\system32\drivers\WMILIB.SYS Address: 0x82673000 Size: 36864 File Visible: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x81C18000 Size: 3842048 File Visible: - Status: - Malwarebytes' Anti-Malware 1.34 Database version: 1863 Windows 6.0.6001 Service Pack 1 21/03/2009 7:33:02 PM mbam-log-2009-03-21 (19-33-02).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 182495 Time elapsed: 2 hour(s), 30 minute(s), 39 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ROOTREPEAL © AD, 2007-2008 ================================================== Scan Time: 2009/03/21 21:48 Program Version: Version 1.2.3.0 Windows Version: Windows Vista SP1 ================================================== Hidden/Locked Files------------------- Path: C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Status: Locked to the Windows API! Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{df5c6fc6-162a-11de-9752-001b381a31dc}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\System32\wbem\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5 6e60dc5df.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053 e8c6967ba9d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949 b06671d08ae.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365 .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a 620671dde41.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8 .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e2 0e9863b4.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c at Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc 0ea08098.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd a6db.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a898 0e994a5d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003 bc63e949f6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\df4c00155bfca5da82320089743bb386e8df43312c8d8b8112418980a2440f2d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\4a4e6de1088e614f7694727d621129512819bdecdb46cc6ebb7c1f192dfe380e.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Manifests\4bde3906e1ad59953a7d8592ff3860dd7fadc4e12abe4b5c828645390461a3aa.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16651_none_3fe50116c43e1596\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16721_none_400572c0c425beea\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.16772_none_3fd0636ec44d63f6\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20788_none_40553023dd6dba94\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.1638 6_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20885_none_4052312bdd706bb6\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6000.20949_none_408173e9dd4c5e75\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18000_none_42004f0ec13d017b\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18032_none_41e1dfdec15387fc\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18112_none_41f7819cc1434d41\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.18165_none_41c472dec16924fb\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22132_none_426b7ca9da7127c6\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22233_none_426c7ed9da703e44\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-gameexplorer_31bf3856ad364e35_6.0.6001.22299_none_4231a10dda9b7df4\WGXINS~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-windowscodec_31bf3856ad364e35_6.0.6001.18131_none_966249e6a135884c\$$DeleteMe.WindowsCodecs.dll.01c9a3f034fce6fc.0000 Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18000_none_4b00c645ec09f02d\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF Status: Locked to the Windows API! Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Status: Allocation size mismatch (API: 32768, Raw: 16384) Path: C:\Windows\System32\wbem\Logs\WMITracing.log Status: Locked to the Windows API! Path: C:\Windows\winsxs\Temp\PendingDeletes\sortkey.nlp Status: Locked to the Windows API! Path: C:\Windows\winsxs\Temp\PendingDeletes\sorttbls.nlp Status: Locked to the Windows API! Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SYSTEM~1.DLL Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Status: Locked to the Windows API!
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.