Jump to content

Google redirect and/or rootkit


Recommended Posts

Recently I have been battling a series of viruses on my computer and thought I had them beat after downloading Malwarebytes. I had the hotfix.exe problem, and it fixed that one. Found a few trojans and the other usual suspects and thought that was it. But other problems persisted, such as redirects on google and super long shutdown cycles.

I have already run GMER and Rootkit Unhooker. Here are the logs.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-10-05 19:47:25

Windows 5.1.2600 Service Pack 3

Running: h3uiv36o.exe; Driver: C:\DOCUME~1\Emily\LOCALS~1\Temp\fgdoapod.sys

---- System - GMER 1.0.15 ----

SSDT spuv.sys ZwCreateKey [0xF741C0E0]

SSDT spuv.sys ZwEnumerateKey [0xF7434DA4]

SSDT spuv.sys ZwEnumerateValueKey [0xF7435132]

SSDT spuv.sys ZwOpenKey [0xF741C0C0]

SSDT spuv.sys ZwQueryKey [0xF743520A]

SSDT spuv.sys ZwQueryValueKey [0xF743508A]

SSDT spuv.sys ZwSetValueKey [0xF743529C]

INT 0x63 ? 82FDABF8

INT 0x73 ? 82E6EF00

INT 0x82 ? 82FDABF8

INT 0x83 ? 82E6EF00

INT 0x83 ? 82E6EF00

INT 0x83 ? 82E6EF00

INT 0x83 ? 82E6EF00

INT 0xA4 ? 82E6EF00

INT 0xB4 ? 82E6EF00

INT 0xB4 ? 82E6EF00

INT 0xB4 ? 82E6EF00

---- Kernel code sections - GMER 1.0.15 ----

? spuv.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload F31D18AC 5 Bytes JMP 82E6E4E0

.text aag4abxz.SYS F30D7386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]

.text aag4abxz.SYS F30D73AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]

.text aag4abxz.SYS F30D73C4 3 Bytes [00, 80, 02]

.text aag4abxz.SYS F30D73C9 1 Byte [30]

.text aag4abxz.SYS F30D73C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}

.text ...

.rsrc C:\WINDOWS\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xF78FB814]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C4000A

.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DE000A

.text C:\WINDOWS\Explorer.EXE[184] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C3000C

.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C2000A

.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D4000A

.text C:\WINDOWS\Explorer.EXE[280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C1000C

.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D2000A

.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D3000A

.text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006F000C

.text C:\WINDOWS\system32\svchost.exe[1180] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01C8000A

.text C:\WINDOWS\system32\svchost.exe[1180] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00FF000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01C2000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01C3000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 01C1000C

.text C:\Program Files\Mozilla Firefox\firefox.exe[1232] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01A0000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 01A1000A

.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 018F000C

.text C:\Program Files\Mozilla Firefox\firefox.exe[1376] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1384] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1724] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82FD91F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{6ABF5AC6-69F2-4D33-B1D8-409D661D120E} 823FB1F8

Device \Driver\usbohci \Device\USBPDO-0 82E561F8

Device \Driver\usbohci \Device\USBPDO-1 82E561F8

Device \Driver\usbohci \Device\USBPDO-2 82E561F8

Device \Driver\usbehci \Device\USBPDO-3 82E751F8

Device \Driver\usbohci \Device\USBPDO-4 82E561F8

Device \Driver\usbohci \Device\USBPDO-5 82E561F8

Device \Driver\usbehci \Device\USBPDO-6 82E751F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 82F6C1F8

Device \Driver\Cdrom \Device\CdRom0 82E701F8

Device \Driver\Cdrom \Device\CdRom1 82E701F8

Device \Driver\atapi \Device\Ide\IdePort0 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort1 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdePort2 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 [F7396B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}

Device \Driver\NetBT \Device\NetBt_Wins_Export 823FB1F8

Device \Driver\PCI_PNP2374 \Device\0000003f spuv.sys

Device \Driver\NetBT \Device\NetBT_Tcpip_{90DF2E26-0480-4F5A-A38D-23456751C6FC} 823FB1F8

Device \Driver\NetBT \Device\NetbiosSmb 823FB1F8

Device \Driver\usbohci \Device\USBFDO-0 82E561F8

Device \Driver\usbohci \Device\USBFDO-1 82E561F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 823F71F8

Device \Driver\usbehci \Device\USBFDO-2 82E751F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 823F71F8

Device \Driver\usbohci \Device\USBFDO-3 82E561F8

Device \Driver\usbohci \Device\USBFDO-4 82E561F8

Device \Driver\Ftdisk \Device\FtControl 82F6C1F8

Device \Driver\usbehci \Device\USBFDO-5 82E751F8

Device \Driver\usbohci \Device\USBFDO-6 82E561F8

Device \Driver\sptd \Device\24462374 spuv.sys

Device \Driver\aag4abxz \Device\Scsi\aag4abxz1 82E771F8

Device \Driver\aag4abxz \Device\Scsi\aag4abxz1Port3Path0Target0Lun0 82E771F8

Device \FileSystem\Cdfs \Cdfs 823BF1F8

Device -> \Driver\atapi \Device\Harddisk0\DR0 82D9FEC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0xF5 0x6F 0x07 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xA1 0x2D 0x1D ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x28 0x8C 0xBC ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0xD8 0xEF 0x8C ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x75 0xA1 0x2D 0x1D ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x49 0x28 0x8C 0xBC ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\mouclass.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>SSDT State

==============================================

ntkrnlpa.exe-->NtCreateKey, Type: Address change 0x806237C8-->F73690E0 [spgh.sys]

ntkrnlpa.exe-->NtEnumerateKey, Type: Address change 0x80624014-->F7381DA4 [spgh.sys]

ntkrnlpa.exe-->NtEnumerateValueKey, Type: Address change 0x8062427E-->F7382132 [spgh.sys]

ntkrnlpa.exe-->NtOpenKey, Type: Address change 0x80624BA6-->F73690C0 [spgh.sys]

ntkrnlpa.exe-->NtQueryKey, Type: Address change 0x80624EE8-->F738220A [spgh.sys]

ntkrnlpa.exe-->NtQueryValueKey, Type: Address change 0x806219EC-->F738208A [spgh.sys]

ntkrnlpa.exe-->NtSetValueKey, Type: Address change 0x80621D3A-->F738229C [spgh.sys]

==============================================

>Shadow

==============================================

==============================================

>Processes

==============================================

0x831C6A00 [4] System

0x81C5EDA0 [308] C:\Program Files\Bonjour\mDNSResponder.exe (Apple Inc., Bonjour Service)

0x82D61398 [444] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)

0x81B6B440 [536] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81CC1C68 [600] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc., iTunesHelper)

0x81B8C550 [616] C:\Program Files\HP\HP Software Update\hpwuSchd2.exe (Hewlett-Packard Co., Hewlett-Packard Product Assistant)

0x81CC8BD0 [676] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc., Java Update Scheduler)

0x81C36DA0 [732] C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co., HP Digital Imaging Monitor)

0x81B64DA0 [748] C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc., Java Quick Starter Service)

0x82D00BC0 [780] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)

0x82C9A9E0 [816] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)

0x82F05BC0 [864] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)

0x82CE6308 [876] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))

0x82C9B800 [1000] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated, Adobe Reader and Acrobat Manager)

0x81B49808 [1004] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe (Advanced Micro Devices Inc., Catalyst Control Center: Monitoring program)

0x82BE6DA0 [1044] C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)

0x82C4F9E0 [1068] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x82D94BC0 [1144] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x82CF3DA0 [1188] C:\Program Files\Microsoft Security Essentials\MsMpEng.exe (Microsoft Corporation, AntiMalware Service Executable)

0x81D03460 [1288] C:\Program Files\CDBurnerXP\NMSAccessU.exe

0x81DF5BC0 [1368] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81DF4AE8 [1428] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81DE66A0 [1468] C:\WINDOWS\system32\ati2evxx.exe (ATI Technologies Inc., ATI External Event Utility EXE Module)

0x81CFE4E8 [1584] C:\WINDOWS\RTHDCPL.EXE (Realtek Semiconductor Corp., Realtek HD Audio Control Panel)

0x81B5BDA0 [1604] C:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation, Microsoft Security Essentials User Interface)

0x81BDC228 [1680] C:\Program Files\Mozilla Firefox\plugin-container.exe (Mozilla Corporation, Plugin Container for Firefox)

0x81BD1800 [1708] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)

0x81D309E0 [1856] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81C3A620 [1864] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)

0x81D28610 [2024] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Inc., Apple Mobile Device Service)

0x81BC17F8 [2036] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)

0x81D9FAF8 [2792] C:\Program Files\iPod\bin\iPodService.exe (Apple Inc., iPodService Module (32-bit))

0x81DFF020 [3124] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)

0x81B04768 [3188] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe (ATI Technologies Inc., Catalyst Control Centre: Host application)

0x81E6ADA0 [3544] C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe (Hewlett-Packard Co., HP CUE Status Root)

0x81D0E158 [3600] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81BB59F0 [3688] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)

0x81C3C9F0 [3860] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)

0x81B59270 [3916] C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation, Firefox)

0x81E6F020 [3936] C:\Documents and Settings\Emily\Desktop\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)

==============================================

>Drivers

==============================================

0xA1D89000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 6123520 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xF26BC000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 4452352 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xAE46E000 C:\WINDOWS\system32\drivers\RtKHDMI.sys 3735552 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)

0xBF1EE000 C:\WINDOWS\System32\ati3duag.dll 3014656 bytes (ATI Technologies Inc. , ati3duag.dll)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF4CE000 C:\WINDOWS\System32\ativvaxx.dll 2142208 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xF7368000 PCI_PNP3980 995328 bytes

0xF7368000 spgh.sys 995328 bytes

0xF7368000 sptd 995328 bytes

0xBF068000 C:\WINDOWS\System32\ati2cqag.dll 651264 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xF7204000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xBF107000 C:\WINDOWS\System32\atikvmag.dll 552960 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xF2590000 C:\WINDOWS\system32\DRIVERS\A3AB.sys 548864 bytes (D-Link Corporation, Driver for D-Link Wireless Network Adapter)

0xA1B7F000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xBF18E000 C:\WINDOWS\System32\atiok3x2.dll 393216 bytes (ATI Technologies Inc., Ring 0 x2 component)

0xF24D1000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xA1CB2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0x9E82C000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 352256 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0x9E338000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xF2557000 C:\WINDOWS\System32\Drivers\an6okio2.SYS 233472 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF7322000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0x9EBE0000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF71D7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xA1C17000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF2680000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA1C8A000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xA1C64000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xAE44A000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF2639000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF2616000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA1D3E000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 143360 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)

0xF265D000 C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 143360 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )

0xA1C42000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF72BA000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF72F2000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF71BD000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF72DA000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF7350000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)

0xF7291000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF2540000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0x9EB53000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xF26A8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA1D0B000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF72A8000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xF7311000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF252F000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xF772C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF77BC000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF767C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF77CC000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xF778C000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF768C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF779C000 C:\WINDOWS\system32\DRIVERS\AmdPPM.sys 53248 bytes (Advanced Micro Devices, AMD Processor Driver)

0xF759C000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF75DC000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF75EC000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF757C000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF760C000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF76FC000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF77AC000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF756C000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF75FC000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF755C000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF764C000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xF762C000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF758C000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF773C000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xF761C000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF76DC000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0x9DF66000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF774C000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF7864000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF78B4000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF78C4000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)

0xF784C000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xF77DC000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF7874000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)

0xF78BC000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0xF78CC000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF794C000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF7854000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF785C000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF77E4000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF793C000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF7944000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF7934000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF78AC000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF787C000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF7A1C000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0x9EF45000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF796C000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xA2374000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF7A18000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xA237C000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xF7A50000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF2B07000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF7A4C000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)

0xF7AE2000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7AE0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7A5C000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7AE4000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF7AE6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7AD2000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7AD6000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7A5E000 C:\WINDOWS\System32\Drivers\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7B25000 amdide.sys 4096 bytes (Advanced Micro Devices, AMD PCI SATA/IDE Bus Driver)

0xF7C87000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7BB1000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7C4D000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7B24000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0x8316A1F8 unknown_irp_handler 3592 bytes

0x82EAC1F8 unknown_irp_handler 3592 bytes

0x831DC1F8 unknown_irp_handler 3592 bytes

0x82F281F8 unknown_irp_handler 3592 bytes

0x82FA01F8 unknown_irp_handler 3592 bytes

0x82E4E1F8 unknown_irp_handler 3592 bytes

0x82E6E340 unknown_irp_handler 3264 bytes

0x82F87500 unknown_irp_handler 2816 bytes

0x82C56500 unknown_irp_handler 2816 bytes

!!!!!!!!!!!Hidden driver: 0x82DB1AEA ?_empty_? 1302 bytes

0x82DB1EC5 unknown_irp_handler 315 bytes

!!!!!!!!!!!Hidden driver: 0x82FE8DA0 ?_empty_? 0 bytes

==============================================

>Stealth

==============================================

0xF72DA000 WARNING: suspicious driver modification [atapi.sys::0x82DB1AEA]

0x01160000 Hidden Image-->CLI.Foundation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 102400 bytes

0x05820000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 102400 bytes

0x05DE0000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 102400 bytes

0x04DC0000 Hidden Image-->CLI.Caste.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 110592 bytes

0x01120000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 118784 bytes

0x03CA0000 Hidden Image-->MOM.Implementation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 118784 bytes

0x06700000 Hidden Image-->CLI.Component.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 1224704 bytes

0x06420000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 1740800 bytes

0x07140000 Hidden Image-->CLI.Aspect.MultiVPU2.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 176128 bytes

0x05D90000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 208896 bytes

0x05E70000 Hidden Image-->CLI.Aspect.InfoCentre.Graphics.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 217088 bytes

0xF794C000 WARNING: Virus alike driver modification [mouclass.sys], 24576 bytes

0x06CF0000 Hidden Image-->CLI.Aspect.CrossDisplay.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 282624 bytes

0x012F0000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 28672 bytes

0x01510000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 28672 bytes

0x01180000 Hidden Image-->LOG.Foundation.Implementation.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x01150000 Hidden Image-->MOM.Foundation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x03DA0000 Hidden Image-->CLI.Component.Runtime.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04160000 Hidden Image-->AEM.Plugin.DPPE.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04180000 Hidden Image-->AEM.Server.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04580000 Hidden Image-->DEM.Graphics.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04450000 Hidden Image-->AEM.Plugin.WinMessages.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04420000 Hidden Image-->AEM.Plugin.Hotkeys.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04570000 Hidden Image-->DEM.Foundation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04E20000 Hidden Image-->AEM.Plugin.GD.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04DF0000 Hidden Image-->DEM.Graphics.I0709.dll [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04E60000 Hidden Image-->ResourceManagement.Foundation.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04E40000 Hidden Image-->AEM.Actions.CCAA.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x04F90000 Hidden Image-->DEM.Graphics.I0804.dll [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x050F0000 Hidden Image-->CLI.Caste.Graphics.Runtime.Shared.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05130000 Hidden Image-->APM.Foundation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05180000 Hidden Image-->CLI.Component.Runtime.Extension.EEU.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05160000 Hidden Image-->AEM.Plugin.REG.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x051B0000 Hidden Image-->AEM.Plugin.EEU.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x051D0000 Hidden Image-->CLI.Component.Client.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x051E0000 Hidden Image-->CLI.Component.Wizard.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05290000 Hidden Image-->DEM.Graphics.I0706.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05250000 Hidden Image-->DEM.Graphics.I0805.dll [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05300000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x052F0000 Hidden Image-->CLI.Aspect.HotkeysHandling.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05510000 Hidden Image-->DEM.Graphics.I0712.dll [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05530000 Hidden Image-->DEM.Graphics.I0812.dll [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x055E0000 Hidden Image-->DEM.Graphics.I0703.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05850000 Hidden Image-->atixclib.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05D40000 Hidden Image-->CLI.Component.Dashboard.Shared.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05E20000 Hidden Image-->CLI.Caste.Graphics.Wizard.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x05D70000 Hidden Image-->CLI.Caste.Graphics.Dashboard.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 28672 bytes

0x01530000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x81B49808 ] PID: 1004, 307200 bytes

0x011C0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x81B04768 ] PID: 3188, 307200 bytes

0x06E10000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 339968 bytes

0x04D50000 Hidden Image-->CLI.Caste.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 348160 bytes

0x03C00000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 36864 bytes

0x041A0000 Hidden Image-->Interop.WBOCXLib.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x03CF0000 Hidden Image-->CLI.Foundation.XManifest.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x03D80000 Hidden Image-->AxInterop.WBOCXLib.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x03E40000 Hidden Image-->NEWAEM.Foundation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x05230000 Hidden Image-->CLI.Aspect.CustomFormats.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x051F0000 Hidden Image-->CLI.Component.Wizard.Shared.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x05350000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x05320000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x054B0000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x05670000 Hidden Image-->CLI.Aspect.MultiVPU2.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x05D30000 Hidden Image-->CLI.Component.Dashboard.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 36864 bytes

0x06DB0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 372736 bytes

0x06D40000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 405504 bytes

0x05CB0000 Hidden Image-->CLI.Component.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 413696 bytes

0x059B0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 421888 bytes

0x06C30000 Hidden Image-->CLI.Aspect.DisplaysManager.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 421888 bytes

0x011C0000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 45056 bytes

0x01150000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 45056 bytes

0x03BD0000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 45056 bytes

0x03DC0000 Hidden Image-->ATICCCom.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x01120000 Hidden Image-->CCC.Implementation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x01140000 Hidden Image-->LOG.Foundation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x01220000 Hidden Image-->LOG.Foundation.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x052B0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x054C0000 Hidden Image-->CLI.Aspect.DeviceProperty.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x05330000 Hidden Image-->CLI.Aspect.DisplaysOptions.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x05490000 Hidden Image-->CLI.Aspect.DeviceLCD.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 45056 bytes

0x04590000 Hidden Image-->ATIDEMGX.dll [ EPROCESS 0x81B04768 ] PID: 3188, 454656 bytes

0x06130000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 503808 bytes

0x03D90000 Hidden Image-->CLI.Foundation.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x03D60000 Hidden Image-->CLI.Component.Runtime.Shared.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x03E30000 Hidden Image-->AEM.Server.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x041C0000 Hidden Image-->AEM.Plugin.Source.Kit.Server.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x04560000 Hidden Image-->DEM.Graphics.I0601.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x051C0000 Hidden Image-->CLI.Component.Client.Shared.Private.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05220000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05310000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05460000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05610000 Hidden Image-->CLI.Aspect.MultiVPU2.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05800000 Hidden Image-->CLI.Caste.Graphics.Wizard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05D80000 Hidden Image-->CLI.Aspect.Welcome.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05E40000 Hidden Image-->CLI.Aspect.TransCode.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 53248 bytes

0x05B20000 Hidden Image-->CLI.Component.Systemtray.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 561152 bytes

0x06E70000 Hidden Image-->CLI.Aspect.DisplaysColour2.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 585728 bytes

0x05470000 Hidden Image-->CLI.Aspect.DeviceCRT.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 61440 bytes

0x054A0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 61440 bytes

0x05660000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 61440 bytes

0x057E0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 61440 bytes

WARNING: File locked for read access [C:\WINDOWS\system32\drivers\sptd.sys]

0x070A0000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 651264 bytes

0x05ED0000 Hidden Image-->ResourceManagement.Foundation.Implementation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 659456 bytes

0x03CC0000 Hidden Image-->CLI.Component.SkinFactory.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x03D40000 Hidden Image-->CLI.Component.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x03E00000 Hidden Image-->ADL.Foundation.dll [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x05100000 Hidden Image-->APM.Server.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x054E0000 Hidden Image-->CLI.Aspect.DeviceDFP.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x055B0000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x05780000 Hidden Image-->CLI.Aspect.Radeon3D.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 69632 bytes

0x011D0000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x81B49808 ] PID: 1004, 77824 bytes

0x01190000 Hidden Image-->LOG.Foundation.Implementation.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 77824 bytes

0x05200000 Hidden Image-->CLI.Aspect.DeviceCV.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 77824 bytes

0x052C0000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Shared.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 77824 bytes

0x06FD0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 790528 bytes

0x05260000 Hidden Image-->CLI.Aspect.DeviceTV.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 86016 bytes

0x05560000 Hidden Image-->CLI.Aspect.OverDrive5.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 86016 bytes

0x05D50000 Hidden Image-->CLI.Caste.Graphics.Dashboard.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 86016 bytes

0x057B0000 Hidden Image-->CLI.Aspect.MMVideo.Graphics.Runtime.DLL [ EPROCESS 0x81B04768 ] PID: 3188, 94208 bytes

==============================================

>Files

==============================================

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]

[1680]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E46531E-->00000000 [xul.dll]

[2036]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[2036]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[2036]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[2036]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[2036]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[2036]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[2036]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[2036]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[2036]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[2036]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[2036]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[3368]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[3368]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[3368]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[3368]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[3368]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[3368]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[3916]firefox.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[3916]firefox.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[3916]firefox.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[3916]firefox.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[3916]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3-->00000000 [firefox.exe]

[3916]firefox.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[3916]firefox.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Link to post
Share on other sites

Hi and Welcome,

You have Daemon Tools installed so you need to run Defogger before we can proceed.

Please follow the disabling instructions in this topic:

http://www.bleepingcomputer.com/forums/topic293569.html

Make files and folders visible:

Click Start > Open "My Computer"

Select the Tools menu and click "Folder Options."

Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.

Uncheck: Hide file extensions for known file types

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.

=================

Download Microsoft's Malicious Software Removal Tool (MSRT) to your desktop

Save and Rename it as You download it to iexplore.exe

Double-click iexplore.exe on your Desktop to run it

In the "Scan Type" window, select Full Scan

Perform a scan and the Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Click on Start, Run

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter

notepad c:\windows\debug\mrt.log

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix more thoroughly review it:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Before downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

I want you to rename Combofix.exe as you download it to rayman.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. To Launch Combofix

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\rayman.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang. Do not proceed with the rest of the fix if you fail to run combofix.

Please post C:\ComboFix.txt in your next reply.

-------------------

Please copy/paste the following into your next reply:

c:\windows\debug\mrt.log

C:\Combofix.txt

Link to post
Share on other sites

It's not your fault, but I got impatient. Sorry! After doing some research about my problem and discovering how common it is, I downloaded ComboFix, ran it, and just finished reading over the report. I also ran TDSSKiller and it didn't find anything. My ComboFix log is attached so you can see what it found. Thank you so much for your help!

ComboFixlog.txt

Link to post
Share on other sites

While I go over your Combofix log:

Disable Spybot's TeaTimer or any fixes we make may be reversed. This is a two step process.

First:

- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)

- Choose Exit Spybot S&D Resident

Second:

- Open Spybot S&D

- Click Mode, check Advanced Mode

- Go To Left Panel, Click Tools, then also in left panel, click Resident

Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

You can re-enable it AFTER we're completely finished!

Please run the MSRT as instructed above, too, and post the log!

Run an MBAM scan and post the log.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.