Please Help! MWB, Hijack This and ComboFix won't run..

SIR CHEECH · August 11, 2009

Hi,

I really appreciate any help or guidance you might be able to give me in regards to my infected computer. I cannot get MWB to run or update, nor will Hijack This or ComboFix run.

The initial clue that my computer was infected was that, google links were not opening properly in new windows in addition to strange music playing in the background. I did find a process running called a.exe, when i stopped that process the music stopped. I then I did a windows search for a.exe and found nothing, so I tried a search with hidden files and found it in the system folder somewhere, I trashed a.exe so the music has stopped but the google linking problem persists. Upon reflection this may not have been the best course of action (i'll let you be the judge) but it seemed like a good idea at the time since the anti-virus and spyware programs I had at the time weren't doing the trick. I was using AVG Free and Spybot. Both have been removed to the best of my ability (uninstalled), i don't see their processes anymore in the task manager.

I have installed Avira AntiVir Personal and was able to update that and do a scan. Several rootkits were found, however, the google linking problem persists and I am still unable to run MWB, Hijack This or ComboFix. Windows Defender also won't update and crashes on launch. So from what I have read on other peoples posts, it seems like I am still infected, and I could really use some expert advice!

I have run DDS and Gmer and have logs from both of those which I will paste and/or attach below. I have also run RootRepeal to see if there were any CLB Rootkits (which there weren't). Many thanks in advance!!

-Matt

DDS.txt

DDS (Ver_09-07-30.01) - NTFSx86

Run by Matt at 8:48:26.50 on Tue 08/11/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1367 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\CTHELPER.EXE

C:\Program Files\Western Digital Technologies\WD Win98 SE USB Disk Driver, v1.00.09\WD_SRT.EXE

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Search Settings\SearchSettings.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TiVo\Desktop\TranscodingService.exe

C:\Program Files\TiVo\Desktop\TiVoNotify.exe

C:\Program Files\TiVo\Desktop\TiVoServer.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\PerSono\perstray.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Matt\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

BHO: SearchSettings Class: {e312764e-7706-43f1-8dab-fcdd2b1e416d} - c:\program files\search settings\kb128\SearchSettings.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TranscodingService] "c:\program files\tivo\desktop\TranscodingService.exe" /auto

uRun: [TivoNotify] "c:\program files\tivo\desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

uRun: [TivoServer] "c:\program files\tivo\desktop\TiVoServer.exe" /service /registry /auto:TivoServer

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [CTHelper] CTHELPER.EXE

mRun: [CTxfiHlp] CTXFIHLP.EXE

mRun: [WD_SRT] "c:\program files\western digital technologies\wd win98 se usb disk driver, v1.00.09\WD_SRT.EXE"

mRun: [WD Button Manager] WDBtnMgr.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [searchSettings] c:\program files\search settings\SearchSettings.exe

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\perstray.lnk - c:\program files\persono\perstray.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

TCP: {54817278-1DFB-452A-A80D-FFC599070349} = 192.168.0.1,192.168.0.2

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\matt\applic~1\mozilla\firefox\profiles\1vyq02on.default\

FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll

FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 viaraid;viaraid;c:\windows\system32\drivers\viaraid.sys [2005-2-10 72192]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-10 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-10 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-10 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-10 55656]

R2 uacFlt;Plantronics USB Audio Adapter EQ Filter Driver;c:\windows\system32\drivers\uacflt.sys [2008-8-10 21276]

R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2003-10-22 344800]

S2 gupdate1c9618821f3d326;Google Update Service (gupdate1c9618821f3d326);c:\program files\google\update\GoogleUpdate.exe [2008-12-18 133104]

S3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\commonfx.sys --> c:\windows\system32\drivers\COMMONFX.SYS [?]

S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\ctaudfx.sys --> c:\windows\system32\drivers\CTAUDFX.SYS [?]

S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\cterfxfx.sys --> c:\windows\system32\drivers\CTERFXFX.SYS [?]

S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\ctsblfx.sys --> c:\windows\system32\drivers\CTSBLFX.SYS [?]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys --> c:\windows\system32\drivers\motport.sys [?]

=============== Created Last 30 ================

2009-08-11 08:46 <DIR> --d----- c:\program files\Trend Micro

2009-08-11 08:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-11 08:41 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-11 08:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-10 10:43 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

2009-08-10 10:43 <DIR> --d----- c:\program files\Avira

2009-08-10 10:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-08-10 10:15 <DIR> --d----- c:\docume~1\matt\applic~1\Malwarebytes

2009-08-10 10:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-08-10 10:06 <DIR> --d----- c:\docume~1\matt\applic~1\Search Settings

2009-08-10 09:58 <DIR> --d----- c:\program files\Search Settings

2009-08-10 09:58 <DIR> --d----- c:\program files\Free Audio Pack

2009-08-09 12:35 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat

2009-08-07 10:39 <DIR> --d----- c:\documents and settings\matt\PrivacIE

2009-08-04 13:00 599,552 -c------ c:\windows\system32\dllcache\crypt32.dll

2009-08-04 13:00 177,664 -c------ c:\windows\system32\dllcache\wintrust.dll

2009-08-04 12:53 <DIR> --d----- c:\windows\system32\XPSViewer

2009-08-04 12:52 14,048 -------- c:\windows\system32\spmsg2.dll

2009-08-02 20:44 <DIR> --d----- c:\windows\system32\AGEIA

2009-08-02 20:44 <DIR> --d----- c:\program files\common files\Wise Installation Wizard

2009-08-02 20:30 <DIR> --d----- c:\program files\Codemasters

2009-08-02 18:40 <DIR> --d----- c:\docume~1\matt\applic~1\ArtificialStudios

2009-08-01 10:21 <DIR> --d----- c:\program files\iPod

2009-08-01 10:21 <DIR> --d----- c:\program files\iTunes

2009-08-01 10:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-23 19:57 41,872 a------- c:\windows\system32\xfcodec.dll

2009-07-12 20:13 <DIR> --d----- c:\program files\VideoLAN

2009-07-12 18:04 <DIR> --d----- c:\program files\VideoReDoTVSuite

2009-07-12 18:04 <DIR> --d----- c:\docume~1\matt\applic~1\VideoReDo-TVSuite

2009-07-12 16:11 <DIR> --d----- c:\program files\common files\TivoDecode

==================== Find3M ====================

2009-07-03 11:09 915,456 a------- c:\windows\system32\wininet.dll

2009-06-16 08:36 119,808 a------- c:\windows\system32\t2embed.dll

2009-06-16 08:36 81,920 a------- c:\windows\system32\fontsub.dll

2009-06-03 13:09 1,291,264 a------- c:\windows\system32\quartz.dll

2008-08-29 15:01 422,344 a------- c:\program files\setuplog.txt

============= FINISH: 8:48:48.59 ===============

SIR CHEECH · August 14, 2009

I have waited more than 48hrs without a reply to my issue. It seems like the helpers here are very busy, I would still very much appreciate any help you can give.

many thanks!!

SpySentinel · August 18, 2009

Hi SIR CHEECH,

Sorry for the delay, we have been very busy this last month in the Malware Forum.

You have a new variant of a nasty infection. This new variant blocks security programs from running.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

SIR CHEECH · August 18, 2009

SpySentinel, Hello!

Thanks so much for the reply, it is much appreciated. I followed your instructions to the letter. Unfortunately, combofix doesn't seem to be running. The green progress bar shows, completes and then the programs seems to shut down, no windows appear of any kind.

Are there any alternative measures we could take? I'd rather not reinstall if at all possible.

Thanks again for your assistance!

SpySentinel · August 19, 2009

@SIR CHEECH

No worries, we will try to fix the issue without a reformat

Please download Win32kDiag.exe by AD to the desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

@everyone else

Everyone else, please do not post to someones HJT thread. Please read Groups authorized to help with HJT logs

SIR CHEECH · August 19, 2009

Thanks for the continues support SpySentinel, please see Win32kDiag.exe log below.

Hope this helps!

Searching 'C:\WINDOWS'...

Cannot access: C:\WINDOWS\system32\MRT.exe

[1] 2009-07-29 18:49:14 24281536 C:\WINDOWS\system32\MRT.exe ()

Cannot access: C:\WINDOWS\system32\scecli.dll

[1] 2004-08-04 06:00:00 180224 C:\WINDOWS\$NtServicePackUninstall$\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 181248 C:\WINDOWS\ServicePackFiles\i386\scecli.dll (Microsoft Corporation)

[1] 2008-04-13 18:12:05 60928 C:\WINDOWS\system32\scecli.dll ()

[2] 2008-04-13 18:12:05 181248 C:\WINDOWS\system32\sceclt.dll (Microsoft Corporation)

Finished!

SpySentinel · August 19, 2009

you're welcome.

We Need to remove Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Zip Mirrors (Recommended)

[*]Rar Mirrors - Only if you know what a RAR is and can extract it.

[*]Extract RootRepeal.exe from the archive.

[*]Open on your desktop.

[*]Click the tab.

[*]Click the button.

[*]Check all seven boxes:

[*]Push Ok

[*]Check the box for your main system drive (Usually C:), and press Ok.

[*]Allow RootRepeal to run a scan of your system. This may take some time.

[*]Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

SIR CHEECH · August 19, 2009

awesome, ran the scan and report is pasted below ,')

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/18 21:56

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0xF746B000 Size: 98304 File Visible: No Signed: -

Status: -

Name:

Image Path:

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: dump_diskdump.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys

Address: 0x9F976000 Size: 16384 File Visible: No Signed: -

Status: -

Name: dump_viaraid.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_viaraid.sys

Address: 0x9E276000 Size: 73728 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0x9B883000 Size: 49152 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0x9E569000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xAC8D1000 Size: 61440 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: c:\recycler\s-1-5-21-1606980848-1965331169-682003330-1004\info2

Status: Size mismatch (API: 2420, Raw: 1620)

Path: C:\RECYCLER\S-1-5-21-1606980848-1965331169-682003330-1004\Dc3.exe

Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\scecli.dll

Status: Locked to the Windows API!

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "a347bus.sys" at address 0xf75bcaf8

#: 041 Function Name: NtCreateKey

Status: Hooked by "<unknown>" at address 0xa5d84466

#: 045 Function Name: NtCreatePagingFile

Status: Hooked by "a347bus.sys" at address 0xf75b0b00

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xa5d8445c

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xa5d8446b

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xa5d84475

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "a347bus.sys" at address 0xf75b1388

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "a347bus.sys" at address 0xf75bcbf0

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xa5d8447a

#: 119 Function Name: NtOpenKey

Status: Hooked by "a347bus.sys" at address 0xf75bca74

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xa5d84448

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xa5d8444d

#: 160 Function Name: NtQueryKey

Status: Hooked by "a347bus.sys" at address 0xf75b13a8

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "a347bus.sys" at address 0xf75bcb46

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xa5d84484

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xa5d8447f

#: 241 Function Name: NtSetSystemPowerState

Status: Hooked by "a347bus.sys" at address 0xf75bc390

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xa5d84470

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xa5d84457

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8a8219f0 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x8a3edbd0 Size: 11

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]

Process: System Address: 0x8a324008 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x8a4b1e68 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]