Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown rootkit infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 FrankRizzo890

FrankRizzo890

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 31 May 2009 - 10:56 AM

Hi guys, I had a feeling that my wife's laptop was infected, so I ran some tests, and sure enough, there's some sorta rootkit running on here. First things first, here's the DDS Log:

DDS (Ver_09-05-14.01) - NTFSx86  
Run by Chris at 10:40:14.23 on Sun 05/31/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.511.143 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)   {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Documents and Settings\Chris\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\eplgx1d8.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-30 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-8-27 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-30 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-30 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-30 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-17 24652]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2007-8-24 92550]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\windows\system32\drivers\vcdrom.sys --> c:\windows\system32\drivers\VCdRom.sys [?]
S3 AOCPVXL;AOCPVXL;c:\docume~1\useruser\locals~1\temp\AOCPVXL.exe [2009-5-30 531328]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\27.tmp --> c:\windows\system32\27.tmp [?]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-4-19 99200]
S4 JEXJ;JEXJ;c:\docume~1\useruser\locals~1\temp\JEXJ.exe [2009-5-30 461696]
S4 VMRB;VMRB;c:\docume~1\admini~1\locals~1\temp\VMRB.exe [2009-5-29 584576]

=============== Created Last 30 ================

2009-05-31 10:20	<DIR>	--d-----	c:\documents and settings\Chris
2009-05-30 22:15	<DIR>	--d-----	c:\program files\Trend Micro
2009-05-29 22:29	5,760	--------	c:\windows\system32\38.tmp
2009-05-29 22:23	<DIR>	--d-----	c:\program files\Sophos
2009-05-28 21:59	102,664	a-------	c:\windows\system32\drivers\tmcomm.sys
2009-05-28 19:55	<DIR>	--d-----	c:\program files\Fishdom H20 Hidden Odyssey
2009-05-27 23:46	41,984	----h---	c:\windows\freddy43.exe
2009-05-27 23:46	1	----h---	c:\windows\f23567.dat
2009-05-27 23:46	2	----h---	c:\windows\sonce122712.dat
2009-05-27 21:46	<DIR>	--d-----	c:\windows\system32\sysloc
2009-05-24 20:07	<DIR>	--d-----	c:\program files\Cate West The Velvet Keys
2009-05-24 19:46	<DIR>	--d-----	c:\program files\Dream Chronicles The Chosen Child
2009-05-20 07:13	<DIR>	--d-----	c:\program files\DVDVideoSoft
2009-05-20 07:13	<DIR>	--d-----	c:\program files\common files\DVDVideoSoft
2009-05-16 23:49	<DIR>	--d-----	c:\program files\Amazing Adventures Special Edition Bundle
2009-05-15 18:35	<DIR>	--d-----	c:\program files\Adventures of Robinson Crusoe
2009-05-09 18:47	1,799	a-------	c:\windows\DatabaseUtilityD.INI
2009-05-06 03:02	<DIR>	--d-----	c:\windows\system32\KB905474
2009-05-03 11:09	<DIR>	--d-----	C:\NewStuff
2009-05-01 13:30	3,366,912	a-------	c:\windows\system32\GPhotos.scr

==================== Find3M  ====================

2009-05-01 08:05	11,952	a-------	c:\windows\system32\avgrsstx.dll
2009-05-01 08:05	325,896	a-------	c:\windows\system32\drivers\avgldx86.sys
2009-05-01 08:04	108,552	a-------	c:\windows\system32\drivers\avgtdix.sys
2009-04-07 22:14	196,608	a-------	c:\windows\system32\pcre3.dll
2009-03-12 10:30	142,504	a-------	c:\windows\system32\ElbyVCD.dll
2009-03-09 07:19	410,984	a-------	c:\windows\system32\deploytk.dll
2009-03-06 09:22	284,160	a-------	c:\windows\system32\pdh.dll
2009-03-02 19:18	826,368	a-------	c:\windows\system32\wininet.dll
2008-08-03 01:06	32,768	a--sh---	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080220080803\index.dat
2008-10-06 22:18	16,384	a--sh---	c:\windows\temp\cookies\index.dat
2008-10-06 22:18	16,384	a--sh---	c:\windows\temp\history\history.ie5\index.dat
2008-10-06 22:18	32,768	a--sh---	c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 10:40:28.93 ===============

I didn't see anything important in there, but what do I know? :thumbup2:

SO, I ran RootRepeal, and the drivers panel gives interesting results:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time:			2009/05/31 10:46
Program Version:		Version 1.2.3.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF8523000	Size: 187776	File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000	Size: 2189056	File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF5463000	Size: 138496	File Visible: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xF86D4000	Size: 42368	File Visible: -
Status: -

Name: Apfiltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Address: 0xF7AAD000	Size: 110400	File Visible: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xF55AC000	Size: 16128	File Visible: -
Status: -

[color="#FF0000"]Name: aq1j6thq.SYS
Image Path: C:\WINDOWS\System32\Drivers\aq1j6thq.SYS
Address: 0xF77CE000	Size: 417792	File Visible: No
Status: -
[/color]

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF84BD000	Size: 98304	File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000	Size: 0	File Visible: -
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBFA17000	Size: 237568	File Visible: -
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF9D5000	Size: 270336	File Visible: -
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF7BD5000	Size: 1466368	File Visible: -
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBFA87000	Size: 2519040	File Visible: -
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBFA51000	Size: 221184	File Visible: -
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBFCEE000	Size: 1093632	File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF8CE2000	Size: 3072	File Visible: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xF52B4000	Size: 319232	File Visible: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xF8914000	Size: 21120	File Visible: -
Status: -

Name: avgtdix.sys
Image Path: C:\WINDOWS\System32\Drivers\avgtdix.sys
Address: 0xF54AD000	Size: 101888	File Visible: -
Status: -

Name: b57xp32.sys
Image Path: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Address: 0xF7B73000	Size: 172032	File Visible: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xF8A8C000	Size: 16384	File Visible: -
Status: -

Name: bcmwl5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
Address: 0xF7AC8000	Size: 604928	File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF8BBE000	Size: 4224	File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF8A84000	Size: 12288	File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7776000	Size: 63744	File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF8784000	Size: 62976	File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF86B4000	Size: 53248	File Visible: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xF833B000	Size: 13952	File Visible: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xF8A88000	Size: 10240	File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF86A4000	Size: 36352	File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF87A4000	Size: 61440	File Visible: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xF8476000	Size: 84032	File Visible: -
Status: -

Name: drvnddm.sys
Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys
Address: 0xF88D4000	Size: 38240	File Visible: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF5274000	Size: 98304	File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8BEE000	Size: 8192	File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF5588000	Size: 12288	File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000	Size: 73728	File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF8D9F000	Size: 4096	File Visible: -
Status: -

Name: ElbyCDIO.sys
Image Path: C:\WINDOWS\System32\Drivers\ElbyCDIO.sys
Address: 0xF8A7C000	Size: 16896	File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF88A4000	Size: 44544	File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF849D000	Size: 129792	File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF8BBC000	Size: 7936	File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF84D5000	Size: 125056	File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806EE000	Size: 81152	File Visible: -
Status: -

Name: HSF_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF7834000	Size: 705408	File Visible: -
Status: -

Name: HSF_DPV.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS
Address: 0xF78E1000	Size: 1033728	File Visible: -
Status: -

Name: HSFHWICH.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
Address: 0xF79DE000	Size: 208384	File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xF242C000	Size: 264832	File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF8744000	Size: 52480	File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF8774000	Size: 42112	File Visible: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xF8B78000	Size: 5504	File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF8724000	Size: 36352	File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF5302000	Size: 152832	File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF551F000	Size: 75264	File Visible: -
Status: -

Name: irda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irda.sys
Address: 0xF2F6F000	Size: 88192	File Visible: -
Status: -

Name: irenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irenum.sys
Address: 0xF832B000	Size: 11264	File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF8674000	Size: 37248	File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF89A4000	Size: 24576	File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF8B74000	Size: 8192	File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xF2041000	Size: 172416	File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF7A76000	Size: 143360	File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF845F000	Size: 92288	File Visible: -
Status: -
[color="#FF0000"]

Name: kungsfwgmansku.sys
Image Path: C:\WINDOWS\system32\drivers\kungsfwgmansku.sys
Address: 0xF5532000	Size: 73728	File Visible: -
Status: Hidden from Windows API!
[/color]
Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xF2E3B000	Size: 11840	File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF8BC0000	Size: 4224	File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF89AC000	Size: 30080	File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF899C000	Size: 23040	File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF8684000	Size: 42368	File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xF2D3A000	Size: 180608	File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF53C8000	Size: 455296	File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF8A6C000	Size: 19072	File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF87E4000	Size: 35072	File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF7D75000	Size: 15488	File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF8378000	Size: 105344	File Visible: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF8392000	Size: 182656	File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF8B40000	Size: 10112	File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xF3091000	Size: 14592	File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF77B7000	Size: 91520	File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF8824000	Size: 40576	File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF8894000	Size: 34688	File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF5485000	Size: 162816	File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF8A74000	Size: 30848	File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF83BF000	Size: 574976	File Visible: -
Status: -

Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000	Size: 2189056	File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF8CA5000	Size: 2944	File Visible: -
Status: -

Name: NWADIenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
Address: 0xF7644000	Size: 212992	File Visible: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xF8A2C000	Size: 17152	File Visible: -
Status: -

Name: ozscr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ozscr.sys
Address: 0xF7B5C000	Size: 92512	File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xF7A99000	Size: 80128	File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF88FC000	Size: 19712	File Visible: -
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xF8B8E000	Size: 6784	File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF8512000	Size: 68224	File Visible: -
Status: -

Name: PCI_NTPNP4912
Image Path: \Driver\PCI_NTPNP4912
Address: 0x00000000	Size: 0	File Visible: No
Status: -

Name: PCIIde.sys
Image Path: PCIIde.sys
Address: 0xF8C3C000	Size: 3328	File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\Drivers\PCIIDEX.SYS
Address: 0xF88F4000	Size: 28672	File Visible: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xF84F4000	Size: 120192	File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000	Size: 2189056	File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF7A11000	Size: 147456	File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF77A6000	Size: 69120	File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF8A1C000	Size: 17792	File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF86C4000	Size: 36320	File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7634000	Size: 8832	File Visible: -
Status: -

Name: rasirda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xF8A0C000	Size: 19584	File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF87B4000	Size: 51328	File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF87C4000	Size: 41472	File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF87D4000	Size: 48384	File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF8A24000	Size: 16512	File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000	Size: 2189056	File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF5438000	Size: 175744	File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF8BC2000	Size: 4224	File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF76D6000	Size: 196224	File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF8794000	Size: 57600	File Visible: -
Status: -

Name: RKREVEAL150.SYS
Image Path: C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
Address: 0xF8C16000	Size: 4128	File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF5348000	Size: 45056	File Visible: No
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF8551000	Size: 98304	File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xF832F000	Size: 15744	File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xF8754000	Size: 64512	File Visible: -
Status: -

Name: smcirda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\smcirda.sys
Address: 0xF8764000	Size: 35840	File Visible: -
Status: -

Name: SMCLIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SMCLIB.SYS
Address: 0xF8337000	Size: 16384	File Visible: -
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xF8569000	Size: 958464	File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF848B000	Size: 73472	File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xF2C98000	Size: 333952	File Visible: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xF8BA2000	Size: 5568	File Visible: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xF8A5C000	Size: 23168	File Visible: -
Status: -

Name: stac97.sys
Image Path: C:\WINDOWS\system32\drivers\stac97.sys
Address: 0xF7A35000	Size: 264384	File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF8BA8000	Size: 4352	File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF2B00000	Size: 60800	File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF54C6000	Size: 361600	File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF8A14000	Size: 20480	File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF8804000	Size: 40704	File Visible: -
Status: -

Name: tfsnboio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys
Address: 0xF89EC000	Size: 25632	File Visible: -
Status: -

Name: tfsncofs.sys
Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys
Address: 0xF88E4000	Size: 34784	File Visible: -
Status: -

Name: tfsndrct.sys
Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys
Address: 0xF8CAA000	Size: 4064	File Visible: -
Status: -

Name: tfsndres.sys
Image Path: C:\WINDOWS\system32\dla\tfsndres.sys
Address: 0xF8CA8000	Size: 2176	File Visible: -
Status: -

Name: tfsnifs.sys
Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys
Address: 0xF311F000	Size: 85920	File Visible: -
Status: -

Name: tfsnopio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys
Address: 0xF31A4000	Size: 14176	File Visible: -
Status: -

Name: tfsnpool.sys
Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys
Address: 0xF8C0A000	Size: 6304	File Visible: -
Status: -

Name: tfsnudf.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys
Address: 0xF3106000	Size: 98528	File Visible: -
Status: -

Name: tfsnudfa.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys
Address: 0xF30ED000	Size: 100544	File Visible: -
Status: -

Name: tmcomm.sys
Image Path: C:\WINDOWS\system32\drivers\tmcomm.sys
Address: 0xF2B90000	Size: 97280	File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF7678000	Size: 384768	File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF8BAC000	Size: 8192	File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF8994000	Size: 30208	File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF8854000	Size: 59520	File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF7B9D000	Size: 147456	File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF898C000	Size: 20608	File Visible: -
Status: -

Name: VClone.sys
Image Path: C:\WINDOWS\system32\DRIVERS\VClone.sys
Address: 0xF8814000	Size: 45056	File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF8A64000	Size: 20992	File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF7BC1000	Size: 81920	File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF8694000	Size: 52352	File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF88B4000	Size: 34560	File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF8964000	Size: 20480	File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xF2743000	Size: 83072	File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000	Size: 1847296	File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000	Size: 1847296	File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF8B76000	Size: 8192	File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000	Size: 2189056	File Visible: -
Status: -

Name: WudfPf.sys
Image Path: WudfPf.sys
Address: 0xF844C000	Size: 77568	File Visible: -
Status: -


SO, there you have my infestation, I already have avenger installed, and I'm ready to do what needs to be done.

Frank

BC AdBot (Login to Remove)

 


#2 FrankRizzo890

FrankRizzo890
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:46 AM

Posted 01 June 2009 - 07:34 AM

Fixed it myself. Used the Linux based "System Recovery CD", mounted the windows drive, found the offending driver files, deleted them, and things are much better now.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,806 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:46 AM

Posted 01 June 2009 - 09:53 AM

Thank you for letting us know. Since this issue seems to be resolved, this thread will now be closed.

In case you experience any problems with the computer, please Start a new topic.

Happy computing,

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users