Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Security


  • Please log in to reply
15 replies to this topic

#1 CoR_Oktober

CoR_Oktober

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 21 June 2009 - 10:56 PM

Hey. I believe that I am infected with the system security virus. All of the programs were previously disabled on my computer, the desktop changed, and system security tried to install and have me download it to remove certain problems.

I eventually was able to end the processes so that I had access to some programs and I could change my desktop back. Also, the system security is not scanning anymore.

However, I am still clearly infected as my computer will freeze every so often and I am having internet problems.

I know that MBAM should take care of the problem. However, I cannot run this program. I have tried downloading it multiple times and running it in both normal and safe modes. However, I cannot open the program/have it download.

I do not know what else I should do. Spybot will also not open.

Your help is appreciated.

Thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 22 June 2009 - 09:46 AM

Please download and scan with Dr.Web CureIt - alternate download link.
Follow these instructions for performing a scan in "safe mode".
If you cannot boot into safe mode, then perform your scan in normal mode. Be aware, this scan could take a long time to complete.
-- Post the log in your next reply. If you can't find the log, try to write down what was detected/removed before exiting Dr.WebCureIt so you can provide that information.

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not install, try renaming it first.
  • Right-click on the mbam-setup.exe file file and rename it to mysetup.exe.
  • Double-click on mysetup.exe to start the installation.
  • If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Right-click on the mbam-setup.exe file, rename it to mysetup and change the .exe extension to .scr, .com, .pif, or .bat.
  • Then double-click on mysetup.scr (or whatever extension you renamed it) to begin installation.
If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on mbam.exe, rename it to myscan.exe.
  • Double-click on myscan.exe to launch the program.
  • If that did not work, then try renaming and change the .exe extension in the same way as noted above.
  • Double-click on myscan.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 June 2009 - 10:57 AM

Here are the logs because I had to pause the scan at one point. Also I do not have the log for the short scan but it found something like a Trojan in some sort of file under the folder "mason".

Logs from complete scan:

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Probably BACKDOOR.Trojan;Incurable.Moved.;
ocpinst.exe\data529;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024\ocpinst.exe;Probably BACKDOOR.Trojan;;
ocpinst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4024;Archive contains infected objects;Moved.;
setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.6.1;Probably BACKDOOR.Trojan;Incurable.Moved.;

3 Months Free NetZero.exe;C:\Program Files\Dell\Launcher\files;Trojan.Click.1487;Deleted.;
UACeltirypephwdgko.dll;C:\WINDOWS\system32;BackDoor.Tdss.49;Deleted.;
UAChtjgnbaphpqqawc.dll;C:\WINDOWS\system32;Trojan.Packed.365;;
UAChucexsprpypwfod.dll;C:\WINDOWS\system32;Trojan.Packed.365;;
UACrmhumcwllniolmu.dll;C:\WINDOWS\system32;BackDoor.Tdss.105;Deleted.;
UACa6da.tmp;C:\WINDOWS\Temp;Trojan.Packed.365;Incurable.Moved.;

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 23 June 2009 - 11:05 AM

Are you able to perform a scan with MBAM now? If so, please post the log for review.

IMPORTANT NOTE: One or more of the identified infections was related to a nasty variant of the TDSSSERV rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:Although the rootkit was identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 23 June 2009 - 11:19 AM

I also still cannot get MBAM to run. I got it to download but even changing the file extensions did not work.

Some other problems I am having with my computer that I may not have mentioned are that whenever it starts up, I receive Google installer problems as well as Logitech problems.

More importantly, Google is not functioning properly. Whenever I click a link in Google, it take me to a different website with a different URL. For that reason, I am using dogpile.com as my search engine right now.

Also, my computer will at times freeze up and beep. Then I have to force turn it off.

Because I cannot get MBAM to run, I am unsure what else to do.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 23 June 2009 - 01:59 PM

Please download Norman Malware Cleaner and save to your desktop. Be sure to print out the instructions provided on the same page.
  • Restart your computer in "Safe Mode".
  • Double-click on Norman_Malware_Cleaner.exe to start the program.
  • Read the End User License Agreement and click the Accept button to open the scanning window.
  • Click Start Scan to begin.
  • In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.
  • After the scan has finished, a log file with the date (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 25 June 2009 - 03:47 PM

Here is the log from Norman.

Norman Malware Cleaner
Copyright © 1990 - 2009, Norman ASA. Built 2009/06/18 08:50:13

Norman Scanner Engine Version: 6.01.09
Nvcbin.def Version: 6.01.00, Date: 2009/06/18 08:50:13, Variants: 3303520

Scan started: 24/06/2009 17:43:15

Running pre-scan cleanup routine:
Operating System: Microsoft Windows XP Professional 5.1.2600(Safe mode) Service Pack 3
Logged on user: JCHAPONIS\Jon

Set registry value: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS = "C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL,c:\progra~1\Manson\liser.dll" -> ""
Removed registry value: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -> DisableRegistryTools = 0x00000000


Scanning running processes and process memory...

Number of processes/threads found: 632
Number of processes/threads scanned: 632
Number of processes/threads not scanned: 0
Number of infected processes/threads terminated: 0
Total scanning time: 26s


Scanning file system...

Scanning: C:\*.*

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UACa6da.tmp (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UACa6da.tmp (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UACa6da.tmp (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UACa6da.tmp (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UACa6da.tmp (Infected with W32/FakeAlert.NEU)
Deleted file
Too many infections/an unexpected error (Please contact support)

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfo0.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfo0.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfo0.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfo0.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfo0.dll (Infected with W32/FakeAlert.NEU)
Deleted file
Too many infections/an unexpected error (Please contact support)

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfod.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfod.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfod.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfod.dll (Infected with W32/FakeAlert.NEU)
Deleted file

C:\Documents and Settings\Jon\DoctorWeb\Quarantine\UAChucexsprpypwfod.dll (Infected with W32/FakeAlert.NEU)
Deleted file
Too many infections/an unexpected error (Please contact support)

C:\Documents and Settings\Jon\Local Settings\Temp\UAC347.tmp (Infected with W32/DNSChanger.EHVD)
Deleted file

C:\Documents and Settings\Jon\My Documents\Jon\Music\atomship-thecrashof47.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))

C:\Documents and Settings\Jon\My Documents\Jon\Music\Best_Of_Simon___Garfunkel.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))

C:\Documents and Settings\Jon\My Documents\Jon\Music\GDD.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))

C:\Documents and Settings\Jon\My Documents\Jon\Music\i-my.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))

C:\Documents and Settings\Jon\My Documents\Jon\Music\Revis-PlacesForBreathing.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))

C:\Documents and Settings\Jon\My Documents\Jon\Music\The_Sounds_Of_Animals_Fighting_-_Tiger___The_Duke__2005_.rar/CMT (Error whilst scanning file: I/O Error (0x00220000))

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats1-baLthasar.xml (Error opening file: Not found)

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats1-XuShèn.xml (Error opening file: Not found)

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats1-_maSon_.xml (Error opening file: Not found)

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats2-baLthasar.xml (Error opening file: Not found)

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats2-XuShèn.xml (Error opening file: Not found)

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats2-_maSon_.xml (Error opening file: Not found)

C:\Documents and Settings\Jon\My Documents\My Games\Age of Empires 3\Data\uipersonastats4-XuShèn.xml (Error opening file: Not found)

C:\WINDOWS\system32\UACatgehroyputdixp.dat (Infected with Text/Tdss.A)
Deleted file

C:\WINDOWS\system32\UACatgehroyputdixp.dat (Infected with Text/Tdss.A)
Deleted file

C:\WINDOWS\system32\UACatgehroyputdixp.dat (Infected with Text/Tdss.A)
Deleted file

C:\WINDOWS\system32\UACatgehroyputdixp.dat (Infected with Text/Tdss.A)
Deleted file

C:\WINDOWS\system32\UACatgehroyputdixp.dat (Infected with Text/Tdss.A)
Deleted file
Too many infections/an unexpected error (Please contact support)

C:\WINDOWS\system32\UAChucexsprpypwfod.dll (Infected with W32/FakeAlert.NEU)
File marked for defered cleaning (reboot required)

C:\WINDOWS\system32\UAClpurxnmnrrwksyp.dll (Infected with W32/FakeAlert.NTW)
Deleted file

C:\WINDOWS\system32\UAClpurxnmnrrwksyp.dll (Infected with W32/FakeAlert.NTW)
Deleted file

C:\WINDOWS\system32\UAClpurxnmnrrwksyp.dll (Infected with W32/FakeAlert.NTW)
Deleted file

C:\WINDOWS\system32\UAClpurxnmnrrwksyp.dll (Infected with W32/FakeAlert.NTW)
Deleted file

C:\WINDOWS\system32\UAClpurxnmnrrwksyp.dll (Infected with W32/FakeAlert.NTW)
Deleted file
Too many infections/an unexpected error (Please contact support)

C:\WINDOWS\system32\UACohmxevdncsfykjm.dll (Error whilst scanning file: I/O Error (0x00000001))

C:\WINDOWS\system32\drivers\UACsvpipvqlclmexla.sys (Error whilst scanning file: I/O Error (0x00000001))

Scanning: c:\System Volume Information\*.*


Running post-scan cleanup routine:

Number of files found: 272168
Number of archives unpacked: 2691
Number of files scanned: 272095
Number of files not scanned: 73
Number of files skipped due to exclude list: 0
Number of infected files found: 7
Number of infected files repaired/deleted: 26
Number of infections removed: 26
Total scanning time: 5h 29m 58s

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 26 June 2009 - 06:40 AM

Please download RootRepeal Rootkit Detector and save it to your Desktop.
alternate download link 1
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
  • Click this link to see a list of such programs and how to disable them.
  • Create a new folder on your hard drive called RootRepeal (C:\RootRepeal) and extract (unzip) RootRepeal.zip. (click here if you're not sure how to do this. Vista users refer to this link.)
  • Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • Click on the Files tab, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 26 June 2009 - 09:32 AM

Here is the log.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/06/26 10:30
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA118000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9E61000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xBA398000 Size: 19232 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB670D000 Size: 138496 File Visible: - Signed: -
Status: -

Name: APPDRV.SYS
Image Path: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Address: 0xB8D0B000 Size: 16128 File Visible: - Signed: -
Status: -

Name: arnhugz8.SYS
Image Path: C:\WINDOWS\System32\Drivers\arnhugz8.SYS
Address: 0xB8E44000 Size: 221184 File Visible: - Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBA278000 Size: 60800 File Visible: - Signed: -
Status: -

Name: ASCTRM.SYS
Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Address: 0xBA638000 Size: 7488 File Visible: - Signed: -
Status: -

Name: asyncmac.sys
Image Path: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Address: 0xB3CBE000 Size: 14336 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9DF3000 Size: 98304 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBA726000 Size: 3072 File Visible: - Signed: -
Status: -

Name: avgldx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgldx86.sys
Address: 0xB6562000 Size: 321024 File Visible: - Signed: -
Status: -

Name: avgmfx86.sys
Image Path: C:\WINDOWS\System32\Drivers\avgmfx86.sys
Address: 0xBA390000 Size: 21120 File Visible: - Signed: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBA4C0000 Size: 16384 File Visible: - Signed: -
Status: -

Name: bcm4sbxp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
Address: 0xB931C000 Size: 45312 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA5E0000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBA298000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB92DC000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA0E8000 Size: 53248 File Visible: - Signed: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBA588000 Size: 13952 File Visible: - Signed: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBA4BC000 Size: 10240 File Visible: - Signed: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
Address: 0xB3754000 Size: 196608 File Visible: - Signed: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
Address: 0xB372E000 Size: 155648 File Visible: - Signed: -
Status: -

Name: ctusfsyn.sys
Image Path: C:\WINDOWS\system32\drivers\ctusfsyn.sys
Address: 0xB3784000 Size: 158464 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0D8000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xB9E0B000 Size: 153344 File Visible: - Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA1F8000 Size: 61440 File Visible: - Signed: -
Status: -

Name: drvmcdb.sys
Image Path: drvmcdb.sys
Address: 0xB9DAC000 Size: 85344 File Visible: - Signed: -
Status: -

Name: drvnddm.sys
Image Path: C:\WINDOWS\system32\drivers\drvnddm.sys
Address: 0xB66FD000 Size: 38240 File Visible: - Signed: -
Status: -

Name: dsunidrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
Address: 0xBA64A000 Size: 5376 File Visible: - Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6522000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA630000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB6805000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA69C000 Size: 4096 File Visible: - Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBA258000 Size: 44544 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9DD3000 Size: 129792 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA5DE000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9E31000 Size: 125056 File Visible: - Signed: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBA598000 Size: 9472 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB8F50000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HSX_CNXT.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
Address: 0xB6887000 Size: 745472 File Visible: - Signed: -
Status: -

Name: HSX_DPV.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
Address: 0xB693D000 Size: 1011712 File Visible: - Signed: -
Status: -

Name: HSXHWAZL.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
Address: 0xB6A34000 Size: 237568 File Visible: - Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB3625000 Size: 264832 File Visible: - Signed: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xBA580000 Size: 8576 File Visible: - Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xB92FC000 Size: 52480 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB92EC000 Size: 42112 File Visible: - Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xB932C000 Size: 36352 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB6757000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB67D6000 Size: 75264 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0A8000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBA420000 Size: 24576 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB22B4000 Size: 172416 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB8E7A000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9D95000 Size: 92288 File Visible: - Signed: -
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xBA0F8000 Size: 57472 File Visible: - Signed: -
Status: -

Name: LVPr2Mon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
Address: 0xBA348000 Size: 18944 File Visible: - Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xB41A4000 Size: 12544 File Visible: - Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA5E2000 Size: 4224 File Visible: - Signed: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBA4B0000 Size: 30080 File Visible: - Signed: -
Status: -

Name: monfilt.sys
Image Path: C:\WINDOWS\system32\drivers\monfilt.sys
Address: 0xB6A6E000 Size: 1389056 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBA418000 Size: 23040 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0B8000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB4318000 Size: 180608 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB65B1000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA370000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA198000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xB9C79000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9CC1000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9CDB000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xB9C95000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB465D000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB8E1C000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA1D8000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA238000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB672F000 Size: 162816 File Visible: - Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA178000 Size: 61824 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA378000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9D08000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA73E000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000 Size: 3915776 File Visible: - Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB8F8C000 Size: 3210752 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA108000 Size: 61696 File Visible: - Signed: -
Status: -

Name: omci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\omci.sys
Address: 0xBA4A0000 Size: 17088 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9E50000 Size: 68224 File Visible: - Signed: -
Status: -

Name: PCI_PNP3640
Image Path: \Driver\PCI_PNP3640
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PfModNT.sys
Image Path: C:\WINDOWS\system32\drivers\PfModNT.sys
Address: 0xB4006000 Size: 98304 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB6BC2000 Size: 147456 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB8E0B000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBA488000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA338000 Size: 20000 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB8DC5000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA158000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA168000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA188000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBA490000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB6621000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA5E4000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB8D75000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB92CC000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rimmptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
Address: 0xBA410000 Size: 28544 File Visible: - Signed: -
Status: -

Name: rimsptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
Address: 0xB930C000 Size: 51328 File Visible: - Signed: -
Status: -

Name: rixdptsk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
Address: 0xB8ECC000 Size: 307968 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB34E5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: s24trans.sys
Image Path: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0xB4685000 Size: 13568 File Visible: - Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBA380000 Size: 24576 File Visible: - Signed: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xB664C000 Size: 135168 File Visible: - Signed: -
Status: -

Name: savonaccesscontrol.sys
Image Path: C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
Address: 0xB6845000 Size: 104704 File Visible: - Signed: -
Status: -

Name: savonaccessfilter.sys
Image Path: C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
Address: 0xBA228000 Size: 35584 File Visible: - Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xB9E8F000 Size: 98304 File Visible: - Signed: -
Status: -

Name: sdbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\sdbus.sys
Address: 0xB8F18000 Size: 79232 File Visible: - Signed: -
Status: -

Name: spic.sys
Image Path: spic.sys
Address: 0xB9EA7000 Size: 1048576 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xB9DC1000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB410E000 Size: 333952 File Visible: - Signed: -
Status: -

Name: sscdbhk5.sys
Image Path: C:\WINDOWS\system32\drivers\sscdbhk5.sys
Address: 0xBA5C4000 Size: 5568 File Visible: - Signed: -
Status: -

Name: ssrtln.sys
Image Path: C:\WINDOWS\system32\drivers\ssrtln.sys
Address: 0xBA350000 Size: 23488 File Visible: - Signed: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xB6BE6000 Size: 1013216 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBA5CA000 Size: 4352 File Visible: - Signed: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xB8E9D000 Size: 191936 File Visible: - Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB3F5E000 Size: 60800 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB677D000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBA480000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA1A8000 Size: 40704 File Visible: - Signed: -
Status: -

Name: tfsnboio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnboio.sys
Address: 0xBA3B8000 Size: 25824 File Visible: - Signed: -
Status: -

Name: tfsncofs.sys
Image Path: C:\WINDOWS\system32\dla\tfsncofs.sys
Address: 0xB66ED000 Size: 34784 File Visible: - Signed: -
Status: -

Name: tfsndrct.sys
Image Path: C:\WINDOWS\system32\dla\tfsndrct.sys
Address: 0xBA7C1000 Size: 4064 File Visible: - Signed: -
Status: -

Name: tfsndres.sys
Image Path: C:\WINDOWS\system32\dla\tfsndres.sys
Address: 0xBA7BB000 Size: 2176 File Visible: - Signed: -
Status: -

Name: tfsnifs.sys
Image Path: C:\WINDOWS\system32\dla\tfsnifs.sys
Address: 0xB47D7000 Size: 86528 File Visible: - Signed: -
Status: -

Name: tfsnopio.sys
Image Path: C:\WINDOWS\system32\dla\tfsnopio.sys
Address: 0xB4915000 Size: 15168 File Visible: - Signed: -
Status: -

Name: tfsnpool.sys
Image Path: C:\WINDOWS\system32\dla\tfsnpool.sys
Address: 0xBA654000 Size: 6304 File Visible: - Signed: -
Status: -

Name: tfsnudf.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudf.sys
Address: 0xB47BE000 Size: 98656 File Visible: - Signed: -
Status: -

Name: tfsnudfa.sys
Image Path: C:\WINDOWS\system32\dla\tfsnudfa.sys
Address: 0xB47A5000 Size: 100544 File Visible: - Signed: -
Status: -

Name: UACsvpipvqlclmexla.sys
Image Path: C:\WINDOWS\system32\drivers\UACsvpipvqlclmexla.sys
Address: 0xB6811000 Size: 81920 File Visible: - Signed: -
Status: Hidden from Windows API!

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB8D17000 Size: 384768 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBA5C2000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBA408000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA208000 Size: 59520 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8F2C000 Size: 147456 File Visible: - Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xBA400000 Size: 20608 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA388000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8F78000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0C8000 Size: 52352 File Visible: - Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBA268000 Size: 34560 File Visible: - Signed: -
Status: -

Name: wanatw4.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanatw4.sys
Address: 0xBA498000 Size: 20512 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA3C8000 Size: 20480 File Visible: - Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB3939000 Size: 83072 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: wmiacpi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Address: 0xBA584000 Size: 8832 File Visible: - Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: - Signed: -
Status: -

Edited by CoR_Oktober, 26 June 2009 - 09:33 AM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 26 June 2009 - 03:52 PM

I was not able to find any info on this file -> arnhugz8.SYS

Are you using Daemon Tools? It uses rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software. It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers). Files are renamed on every reboot. I have read that the name changing routine may be due to the fact that Daemon Tools is sometimes used to circumvent anti-piracy measures in games so the player does not have to keep swapping out CDs. The name change may be an attempt to stop the anti-piracy systems detecting its presence.

If not Daemon Tools, then are you using Alchohol 120% or AnyDVD which have similar capabilities? AnyDVD uses a driver that allows decryption of DVDs on-the-fly, and targeted removal of copy preventions and user operation prohibitions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 26 June 2009 - 07:34 PM

Yes I do have Daemon tools downloaded onto my computer.

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 27 June 2009 - 05:49 AM

Ok then. How is your computer running now? Are there any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 27 June 2009 - 09:36 AM

Yes. My computer does not start up every time correctly. It seems to freeze. And there are errors upon start up. Also, Google's searches do not bring up the correct URL if you click on the link. You have to copy and paste the link to get to the correct site.

I guess I will just reformat the computer. Should I go ahead and do that?

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 27 June 2009 - 03:45 PM

Your decision as to what action to take should be made by reading and asking yourself the questions presented in the "When should I re-format?" and What Do I Do? links previously provided. As I already said, in some instance the malware may leave so many remnants behind that security tools cannot find them and your system cannot be completely cleaned, repaired or trusted. Reinstalling Windows without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Starting over by reformatting, and performing a clean install of the OS or doing a factory restore with a vendor-specific Recovery Disk or Recovery Partition removes everything and is the safest action but I cannot make that decision for you.

Reformatting a hard disk deletes all data. Should you decide to reformat,
you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, and .html) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executable files inside them as some types of malware can penetrate and infect .exe files within compressed files too. Other types of malware may even disguise itself by adding and hiding its extension to the existing extension of file(s) so be sure you look closely at the full file name. After reformatting, scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

Should you decide to reformat and you're not sure how to do that or need help, please review:These links include step-by-step instructions with screenshots:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.
Also see How to keep your Windows XP activation after clean install.Vista users can refer to these instructions:Don't forget you will have to go to Microsoft Update and apply all Windows security patches after reformatting.

Note: If you're using an IBM, Sony, HP, Compaq or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. See Technology Advisory Recovery Media.

If you need additional assistance with reformatting or have questions about multiple hard drives, you can start a new topic in the Windows XP Home and Professional forum. If you don't get a reply, please send me a PM and I will get someone to take a look.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 CoR_Oktober

CoR_Oktober
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 28 June 2009 - 01:41 PM

I reformatted the computer so this topic can probably be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users