Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Posing as MS PC Defender/ Moved


  • Please log in to reply
21 replies to this topic

#1 Andrew59

Andrew59

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 20 April 2009 - 12:36 AM

Hi,

My PC has been compromised by a virus/malware posing as PC Defender and it has shut down the PC's ability to interface with the ISP internet connection. I went to another PC in the house to chat with Norton and unfortunately, they had no answers or fixes due to the ISP problem and their inability to remotely access the affected PC.

As I understand it from reading through various posts on websites, this intrusion is essentially online blackmail to purchase the hack's software. No where have I seen any one posting what my experience is with the ISP block and unfortunately even this site's download offer cannot be accomplished since there is no access to the internet possible on the affected PC.

Is there any one out here on this site authorized and capable of assisting me with the problem?

Thanks in advance to any and all responders!

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,110 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:38 AM

Posted 20 April 2009 - 12:50 AM

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 20 April 2009 - 11:51 AM

I went to another PC in the house


We need to use a usb jump drive and that computer

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.


Now that the computer and the usb drive are immunized follow these instructions to download and transfer to the infected computer

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download Malwarebytes Anti-Malware (v1.36) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/
Chewy

No. Try not. Do... or do not. There is no try.

#4 Andrew59

Andrew59
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 April 2009 - 10:23 AM

DaChew,

Thanks for your assistance. Do you have any more advise concerning the failure to run mbam-seteup.exe from the infected computer? Pls advise either way. Thank you.

Best Regards, Andrew59

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 21 April 2009 - 10:27 AM

Try this to install MBAM

Try renaming the setup file to install.com

try installing in safe mode

here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#6 Andrew59

Andrew59
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 April 2009 - 06:28 PM

Thanks. Got it installed by renaming BUT still no ability to run the application. Is this due to no access to the internet via the infected computer? I can pull up other programs not requiring internet access but nothing requiring internet. Your assistance is greatly appreciated.

A59

#7 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 21 April 2009 - 06:35 PM

Move the two files from the bottom 2 links over to the infected computer, run thewm both and try to run MBAM again
Chewy

No. Try not. Do... or do not. There is no try.

#8 Andrew59

Andrew59
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 April 2009 - 09:11 PM

Chewy,

Bravo!!! The first link worked downloading in safe mode. I ran the application and cleaned up the crap (20 items). NOW, I have to figure out why internet access is the only part of the puzzle unsolved???? Any thoughts?

Thank you for your assistance again. You're help has been awesome!

drew59

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 21 April 2009 - 09:48 PM

When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.


Chewy

No. Try not. Do... or do not. There is no try.

#10 Andrew59

Andrew59
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 22 April 2009 - 12:53 AM

Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 5.1.2600 Service Pack 2

04/21/09 5:19:24 PM
mbam-log-2009-04-21 (17-19-24).txt

Scan type: Quick Scan
Objects scanned: 92658
Time elapsed: 5 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 3
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\SYSTEM32\UACfkviwfusibumfpg.dll (Spyware.OnlineGames) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\wininetapp.wininet (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\wininetapp.wininet.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysav (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5310986c-c8f0-44f3-910e-aaa3863b9a1c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.75,85.255.112.38 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ea219350-b25f-4304-b0a7-ca6c15d25c3f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.75,85.255.112.38 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{5310986c-c8f0-44f3-910e-aaa3863b9a1c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.75,85.255.112.38 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ea219350-b25f-4304-b0a7-ca6c15d25c3f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.75,85.255.112.38 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{5310986c-c8f0-44f3-910e-aaa3863b9a1c}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.75,85.255.112.38 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ea219350-b25f-4304-b0a7-ca6c15d25c3f}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.75,85.255.112.38 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\SYSTEM32\UACfkviwfusibumfpg.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\Documents and Settings\ITDirector\Application Data\pcdefender.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\ieocx.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\ITDirector\Start Menu\WinPC Defender.LNK (Rogue.WinPCDefender) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.





















Malwarebytes' Anti-Malware 1.36
Database version: 2015
Windows 5.1.2600 Service Pack 2

04/21/09 5:30:29 PM
mbam-log-2009-04-21 (17-30-29).txt

Scan type: Quick Scan
Objects scanned: 16456
Time elapsed: 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#11 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 22 April 2009 - 01:58 AM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please
Chewy

No. Try not. Do... or do not. There is no try.

#12 Andrew59

Andrew59
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 22 April 2009 - 12:01 PM

[quote name='DaChew' date='Apr 21 2009, 11:58 PM' post='1234069']
This is a very nasty infection

2 files- dump_atapi... and dump_WMIL... both stating in report NO on FILE VISABLE.

1 file- UACrkaavfsn..... stating YES on FILE HIDDEN

Will attach report in next reply. Drew59

#13 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 22 April 2009 - 12:07 PM

You have to highlight the UACxxxxxxxxxxxsys file, right click and choose wipe, reboot them run a scan with an updated MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:38 PM

Posted 22 April 2009 - 12:18 PM

Repeat the rootrepeal scan with file mode not driver mode
Chewy

No. Try not. Do... or do not. There is no try.

#15 Andrew59

Andrew59
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 22 April 2009 - 02:08 PM

PROBLEMS SOLVED- ISP connection Fixed!!!

ALL is Well, apparently. Let me know what you think of the reports below. I attached both the Driver Mode after Wipe and the File Mode Report.

Thank you Again for providing assistance and your invaluable expertise!

Drew59


Driver Mode After Wipe

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/22 11:26
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8729000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2180480 File Visible: -
Status: -

Name: aeaudio.sys
Image Path: C:\WINDOWS\system32\drivers\aeaudio.sys
Address: 0xF8C8E000 Size: 4384 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xEFD6F000 Size: 138368 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF86A3000 Size: 95360 File Visible: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8E31000 Size: 3072 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8CBA000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8B88000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF8488000 Size: 63744 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF8908000 Size: 49536 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF8848000 Size: 53248 File Visible: -
Status: -

Name: CO_Mon.sys
Image Path: C:\WINDOWS\system32\drivers\CO_Mon.sys
Address: 0xF8A08000 Size: 30592 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF8838000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF86D3000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF8C86000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF8938000 Size: 61440 File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEFBAA000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8CD4000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF84FC000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8E6F000 Size: 4096 File Visible: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF82AE000 Size: 145408 File Visible: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xEFC07000 Size: 385024 File Visible: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xEFBEA000 Size: 118784 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF8AE0000 Size: 27392 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF84A8000 Size: 34944 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF8A78000 Size: 20480 File Visible: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF863E000 Size: 128896 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8CB6000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF86F9000 Size: 125056 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF8928000 Size: 40960 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EC000 Size: 131968 File Visible: -
Status: -

Name: hglxe.sys
Image Path: hglxe.sys
Address: 0xF8778000 Size: 61440 File Visible: No
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF8A20000 Size: 28672 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xEEF68000 Size: 262784 File Visible: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF8C9C000 Size: 8192 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF88E8000 Size: 52736 File Visible: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBF077000 Size: 925696 File Visible: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF042000 Size: 217088 File Visible: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF020000 Size: 139264 File Visible: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF8309000 Size: 1302208 File Visible: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF012000 Size: 57344 File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF88D8000 Size: 36096 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xEFEBA000 Size: 74752 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8788000 Size: 35840 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF8AE8000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8C78000 Size: 8192 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF8277000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF8615000 Size: 92032 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8CBE000 Size: 4224 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF8AF0000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8798000 Size: 42240 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xEF5CB000 Size: 179584 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xEFC65000 Size: 453632 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8A38000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF84E8000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF8C68000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF8540000 Size: 107904 File Visible: -
Status: -

Name: NAVENG.SYS
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090416.048\NAVENG.SYS
Address: 0xEFF15000 Size: 82400 File Visible: -
Status: -

Name: NAVEX15.SYS
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20090416.048\NAVEX15.SYS
Address: 0xEFF2A000 Size: 869440 File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF855B000 Size: 182912 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8C44000 Size: 9600 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xEFA96000 Size: 12928 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF81AE000 Size: 91776 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8988000 Size: 38016 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF84C8000 Size: 34560 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xEFD91000 Size: 162816 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF8A48000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF8588000 Size: 574464 File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2180480 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8D58000 Size: 2944 File Visible: -
Status: -

Name: NWADIenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
Address: 0xF80F0000 Size: 212992 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF829A000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF8A00000 Size: 18688 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8718000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF8D40000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF89F8000 Size: 28672 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2180480 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF81C5000 Size: 147456 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF8B50000 Size: 17792 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF8BA4000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF8948000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF8958000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF8968000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF8B60000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2180480 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xEFCD4000 Size: 174592 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8CC2000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF817D000 Size: 196864 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF8918000 Size: 57472 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEE7BD000 Size: 45056 File Visible: No
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xF86BB000 Size: 98304 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF8C30000 Size: 15488 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF88F8000 Size: 64896 File Visible: -
Status: -

Name: smwdm.sys
Image Path: C:\WINDOWS\system32\drivers\smwdm.sys
Address: 0xF81E9000 Size: 580992 File Visible: -
Status: -

Name: SPBBCDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Address: 0xEFCFF000 Size: 458752 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF862C000 Size: 73472 File Visible: -
Status: -

Name: SRTSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\SRTSP.SYS
Address: 0xEFFFF000 Size: 299008 File Visible: -
Status: -

Name: SRTSPX.SYS
Image Path: C:\WINDOWS\System32\Drivers\SRTSPX.SYS
Address: 0xF89C8000 Size: 36992 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xEF161000 Size: 333184 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8C94000 Size: 4352 File Visible: -
Status: -

Name: SYMDNS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMDNS.SYS
Address: 0xF8CC6000 Size: 6912 File Visible: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Address: 0xEFE11000 Size: 151552 File Visible: -
Status: -

Name: SYMFW.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMFW.SYS
Address: 0xEFDFB000 Size: 89856 File Visible: -
Status: -

Name: SYMIDS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMIDS.SYS
Address: 0xF8B00000 Size: 31872 File Visible: -
Status: -

Name: SymIDSCo.sys
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20090414.001\SymIDSCo.sys
Address: 0xEFDB9000 Size: 270336 File Visible: -
Status: -

Name: SymIM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SymIM.sys
Address: 0xF8B78000 Size: 24576 File Visible: -
Status: -

Name: SYMNDIS.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
Address: 0xF8AD8000 Size: 30720 File Visible: -
Status: -

Name: SYMREDRV.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
Address: 0xF8C28000 Size: 15616 File Visible: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xEFE36000 Size: 177792 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF8898000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xEFE62000 Size: 360320 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF8B40000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8978000 Size: 40704 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF8124000 Size: 364160 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8C9A000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF8AD0000 Size: 26624 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF89A8000 Size: 57600 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF82D2000 Size: 143360 File Visible: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xF8AA8000 Size: 25856 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF8AC8000 Size: 20480 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8A28000 Size: 20992 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF82F5000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF87A8000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF84D8000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8A80000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xEF70D000 Size: 82944 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF8C7A000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2180480 File Visible: -
Status: -




File Mode



ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/22 11:56
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\jar_cache7248.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\jar_cache7249.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\jar_cache7250.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\jar_cache7251.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\jar_cache7252.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\toolbox_healer7253.log
Status: Allocation size mismatch (API: 376, Raw: 0)

Path: C:\Documents and Settings\ITDirector\Local Settings\Temp\me_UF8EDChX754cf8l
Status: Allocation size mismatch (API: 4096, Raw: 0)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users