Hidden Drivers in a RootKit Unhooker Report

[ChristopherLorking]

Hi there,

Attached is a log file from Rootkit Unhooker run on an XP Pro SP3 machine - at the bottom are TWO unknown/hidden drivers.

I hope this is the correct place to post this - please let me know if the DDS log needs to be posted BEFORE anyone can help with this issue.

If the DDS is required, I will run it as soon as I can and post the log.

RkUnhooker report generator v0.7

==============================================

Rootkit Unhooker kernel version: 3.7.300.505

==============================================

Windows Major Version: 5

Windows Minor Version: 1

Windows Build Number: 2600

==============================================

>Drivers

Driver: C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

Address: 0xB90D0000

Size: 6320128 bytes

Driver: C:\WINDOWS\system32\drivers\RtkHDAud.sys

Address: 0xA79D4000

Size: 6103040 bytes

Driver: C:\WINDOWS\System32\igxpdx32.DLL

Address: 0xBF322000

Size: 3518464 bytes

Driver: C:\WINDOWS\System32\igxpdv32.DLL

Address: 0xBF05E000

Size: 2899968 bytes

Driver: C:\WINDOWS\system32\ntkrnlpa.exe

Address: 0x804D7000

Size: 2154496 bytes

Driver: PnpManager

Address: 0x804D7000

Size: 2154496 bytes

Driver: RAW

Address: 0x804D7000

Size: 2154496 bytes

Driver: WMIxWDM

Address: 0x804D7000

Size: 2154496 bytes

Driver: Win32k

Address: 0xBF800000

Size: 1871872 bytes

Driver: C:\WINDOWS\System32\win32k.sys

Address: 0xBF800000

Size: 1871872 bytes

Driver: Ntfs.sys

Address: 0xB9DC6000

Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

Address: 0xA7711000

Size: 503808 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

Address: 0xA77B4000

Size: 458752 bytes

Driver: mfehidk.sys

Address: 0xB9E6A000

Size: 454656 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys

Address: 0xB8F0E000

Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys

Address: 0xA78D4000

Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys

Address: 0xA6918000

Size: 360448 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL

Address: 0xBF67D000

Size: 290816 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys

Address: 0xA59FB000

Size: 266240 bytes

Driver: C:\WINDOWS\System32\igxpgd32.dll

Address: 0xBF024000

Size: 237568 bytes

Driver: C:\WINDOWS\system32\DRIVERS\k57xp32.sys

Address: 0xB905E000

Size: 221184 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys

Address: 0xB8F6C000

Size: 196608 bytes

Driver: ACPI.sys

Address: 0xB9F79000

Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys

Address: 0xA6A60000

Size: 184320 bytes

Driver: NDIS.sys

Address: 0xB9D99000

Size: 184320 bytes

Driver: C:\WINDOWS\system32\drivers\mfeavfk.sys

Address: 0xB8FC4000

Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys

Address: 0xA7824000

Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

Address: 0xB9094000

Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys

Address: 0xA7871000

Size: 163840 bytes

Driver: dmio.sys

Address: 0xB9F23000

Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys

Address: 0xA7899000

Size: 155648 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys

Address: 0xA79B0000

Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS

Address: 0xB903A000

Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys

Address: 0xB9017000

Size: 143360 bytes

Driver: C:\WINDOWS\System32\Drivers\RDPWD.SYS

Address: 0xA5708000

Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys

Address: 0xA784F000

Size: 139264 bytes

Driver: ACPI_HAL

Address: 0x806E5000

Size: 134528 bytes

Driver: C:\WINDOWS\system32\hal.dll

Address: 0x806E5000

Size: 134528 bytes

Driver: fltMgr.sys

Address: 0xB9EEB000

Size: 131072 bytes

Driver: ftdisk.sys

Address: 0xB9F49000

Size: 126976 bytes

Driver: C:\WINDOWS\system32\drivers\mfeapfk.sys

Address: 0xA55CA000

Size: 114688 bytes

Driver: Mup.sys

Address: 0xB9D7F000

Size: 106496 bytes

Driver: atapi.sys

Address: 0xB9F0B000

Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA76F9000

Size: 98304 bytes

Driver: KSecDD.sys

Address: 0xB9E53000

Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys

Address: 0xB9000000

Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\mfetdi2k.sys

Address: 0xA78BF000

Size: 86016 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys

Address: 0xA6ADB000

Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS

Address: 0xB90BC000

Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys

Address: 0xA792D000

Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys

Address: 0xBF000000

Size: 73728 bytes

Driver: C:\WINDOWS\System32\igxprd32.dll

Address: 0xBF012000

Size: 73728 bytes

Driver: sr.sys

Address: 0xB9ED9000

Size: 73728 bytes

Driver: pci.sys

Address: 0xB9F68000

Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys

Address: 0xB8FEF000

Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS

Address: 0xBA2B8000

Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys

Address: 0xB96E7000

Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\serial.sys

Address: 0xB9707000

Size: 65536 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys

Address: 0xBA1A8000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys

Address: 0xB96D7000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys

Address: 0xA6C10000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys

Address: 0xBA178000

Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS

Address: 0xBA0E8000

Size: 53248 bytes

Driver: C:\WINDOWS\system32\drivers\mfebopk.sys

Address: 0xA5616000

Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

Address: 0xBA128000

Size: 53248 bytes

Driver: VolSnap.sys

Address: 0xBA0C8000

Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS

Address: 0xBA218000

Size: 53248 bytes

Driver: C:\WINDOWS\system32\drivers\mfetdik.sys

Address: 0xBA1D8000

Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys

Address: 0xBA148000

Size: 49152 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS

Address: 0xBA1F8000

Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys

Address: 0xB96F7000

Size: 45056 bytes

Driver: MountMgr.sys

Address: 0xBA0B8000

Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys

Address: 0xBA138000

Size: 45056 bytes

Driver: isapnp.sys

Address: 0xBA0A8000

Size: 40960 bytes

Driver: C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

Address: 0xA6C40000

Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS

Address: 0xBA188000

Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys

Address: 0xBA168000

Size: 40960 bytes

Driver: disk.sys

Address: 0xBA0D8000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS

Address: 0xBA208000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys

Address: 0xB9717000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys

Address: 0xBA158000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys

Address: 0xBA1E8000

Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys

Address: 0xBA2A8000

Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS

Address: 0xBA468000

Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbccgp.sys

Address: 0xBA378000

Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys

Address: 0xBA408000

Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS

Address: 0xBA450000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

Address: 0xBA480000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS

Address: 0xBA328000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbprint.sys

Address: 0xBA470000

Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys

Address: 0xBA428000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys

Address: 0xBA430000

Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS

Address: 0xBA4A0000

Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\TDTCP.SYS

Address: 0xBA4A8000

Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys

Address: 0xBA400000

Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys

Address: 0xBA458000

Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS

Address: 0xBA460000

Size: 20480 bytes

Driver: PartMgr.sys

Address: 0xBA330000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys

Address: 0xBA418000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys

Address: 0xBA420000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS

Address: 0xBA410000

Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys

Address: 0xBA388000

Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys

Address: 0xA779C000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys

Address: 0xB9D3B000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys

Address: 0xA75E5000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\serenum.sys

Address: 0xBA588000

Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll

Address: 0xBA4B8000

Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys

Address: 0xA7794000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys

Address: 0xB8236000

Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\i2omgmt.SYS

Address: 0xB8FB0000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys

Address: 0xB822E000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys

Address: 0xBA58C000

Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys

Address: 0xB8FA8000

Size: 12288 bytes

Driver: 00000018

Address: 0xBA5A8000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS

Address: 0xBA5DA000

Size: 8192 bytes

Driver: dmload.sys

Address: 0xBA5AE000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA642000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS

Address: 0xBA5D8000

Size: 8192 bytes

Driver: intelide.sys

Address: 0xBA5AC000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL

Address: 0xBA5A8000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS

Address: 0xBA5DC000

Size: 8192 bytes

Driver: C:\Program Files\LogMeIn\x86\RaInfo.sys

Address: 0xBA66E000

Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys

Address: 0xBA5DE000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys

Address: 0xBA5D2000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS

Address: 0xBA5D4000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS

Address: 0xBA5AA000

Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys

Address: 0xBA79F000

Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys

Address: 0xBA707000

Size: 4096 bytes

Driver: C:\WINDOWS\system32\DRIVERS\lmimirr.sys

Address: 0xBA79E000

Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS

Address: 0xBA776000

Size: 4096 bytes

Driver: pciide.sys

Address: 0xBA670000

Size: 4096 bytes

!!!!!!!!!!!Hidden driver: 00000056

Loaded from:

Address: 0x8AA18053

Size: 4013 bytes

==============================================

>Stealth

Unknown page with executable code

Address: 0x8AA1A58F

Size: 2673

Unknown page with executable code

Address: 0x8AA18053

Size: 4013

[RPMcMurphy]

Hello and welcome. Please follow these guidelines while we work on your PC:

• Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  
• Please do not run any scans or install/uninstall any applications without being directed to do so.
  
• Any underlined text in my posts indicates a clickable link.
  
• If you have any questions at all, please stop and ask before proceeding.

Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr

DDS.com

DDS.pif

• Disable any script blocking protection (How to Disable your Security Programs)
  
• Double click DDS icon to run the tool (may take up to 3 minutes to run)
  
• When done, DDS.txt will open.
  
• After a few moments, attach.txt will open in a second window.
  
• Save both reports to your desktop.
  

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
  
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Download GMER Rootkit Scanner from here to your desktop.

• Double click the exe file. If asked to allow gmer.sys driver to load, please consent .
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)
    

  [*] Then click the Scan button & wait for it to finish.

  [*] Once done click on the [save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

  [*]Save it where you can easily find it, such as your desktop, and post it in reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

If you have trouble running GEMR:

• Make sure that your security software is disabled
  
• Uncheck the box next to "Files" this time also
  
• If you still can't run it, try in the Safe Mode

Please include the following in your next post:

• DDS.txt and Attach.txt logs
  
• GMER log

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!