Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hiloti + Google hijack


  • This topic is locked This topic is locked
53 replies to this topic

#31 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 08 January 2010 - 11:18 PM

I noticed tonight my computer seemed glitchy or laggy. It occurs when ESET NOD32's real-time file system protection is enabled and I move, copy, or download .exe files such as OTL.exe.

Also, there's a brief flash in the upper-left corner of my screen when this happens.

I don't think this was happening berfore I ran ComboFix with CFScript.

Edited by DaveGK, 08 January 2010 - 11:19 PM.


BC AdBot (Login to Remove)

 


#32 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 AM

Posted 10 January 2010 - 02:35 AM

Hi,

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



Download and Run Kaspersky Virus Removal Tool
Please disable all anti-malware protection before running this tool. Refer to this page if you are not sure how.
  • Go here then click on the link to download the Kaspersky virus removal tool. Save the installer on your desktop.
  • Double click the installer and follow the prompts. Kaspersky Virus Removal Tool will open after the installation.
  • Close out of the program. When asked to uninstall, select No.
  • Now you need to reboot your computer and go into safe mode before scanning, see here
  • Once in safe mode open Kaspersky, under the "Automatic Scan" tab, check off all the boxes.
  • Click in the Settings box. Set the "Security Level" to High.
  • Change the Action settings to Do not Prompt for Action. UNcheck Disinfect and Delete if disinfection fails. Click Ok to apply the settings.
  • Select Scan. Please be patient while the scan completes.
  • When the scan is finished, click the Report... button in the lower middle, select Save to file..., and save it onto your desktop as "report".
  • Close out of the program. When asked to uninstall, select Yes.
  • Reply back with the report saved on your desktop.

Also please run Gmer again the post back with the Kaspersky results and new Gmer log.

Thanks

unite.jpg


#33 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 11 January 2010 - 04:11 AM

I ran TFC.

My computer is rebooting itself again when I try to boot up into safe mode. Running chkdsk c: /f didn't fix it. It loads a bunch of .sys files and then reboots.

Edited by DaveGK, 11 January 2010 - 04:13 AM.


#34 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 AM

Posted 11 January 2010 - 05:17 PM

Do you have a Windows XP disk, if so try running sfc /scannow from the command prompt if any files are missing it will ask you to insert you
XP CD to replace them, once it is done try booting into safe mode again.

unite.jpg


#35 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 12 January 2010 - 12:49 AM

^ Yes, I have a Windows XP disk. I ran sfc /scannow. It asked me to insert the Windows XP disk, but it gave me no output when it had finished scanning. The dialog box with the progress bar simply closed. It obviously did something though because when I restarted, my display settings had been set to a low resolution. Also, now there's an exclamation mark next to my video card in Device Manager, and scrolling down through web pages like this one is very sluggish.

I still can't boot into Safe Mode. It restarts at the same point as yesterday. I can't quite read the name of the .sys file before it restarts, but it's very strange. It looks like a bunch of numbers with ".sys" at the end. I tried logging the boot process, but it doesn't seem to create the log file. The log file that's in the Windows directory is the same that got created back in December.

#36 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 AM

Posted 12 January 2010 - 08:06 PM

Please run Kaspersky in normal mode for now, also update MBAM and run a scan with that and post the logs. You can get a new boot log by
deleting ntbtlog.txt then running boot logging again, you can post that log also.

unite.jpg


#37 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 16 January 2010 - 10:15 AM

I still can't get a ntbtlog.txt when trying to boot up into safe mode. At most, one line will appear about kmixer.sys loading successfully. Also, when trying to boot up into safe mode, it has stopped displaying the line about trying to load [bunch of numbers].sys. I'm not sure why that should be the case; all I've done to my system is to uninstall the ATI display drivers and Catalyst Control Center and then reinstall the same version I had before. I did this because the ATI display drivers stopped working after running sfc /scannow. Now the last line that appears when booting up into Safe Mode is once again about loading mup.sys as it was earlier in this thread although that time running chkdsk c:/f fixed the problem.

Here's the boot log I get when booting Windows normally:
===========================================

Service Pack 3 1 16 2010 10:06:22.500
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver pavboot.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver nvatabus.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver Lbd.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver nv_agp.sys
Loaded driver Mup.sys
Loaded driver 16876832.sys
Loaded driver \SystemRoot\system32\DRIVERS\AmdPPM.sys
Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\System32\DRIVERS\nvnetbus.sys
Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys
Loaded driver \SystemRoot\system32\DRIVERS\hcwPVRP2.sys
Loaded driver \SystemRoot\system32\drivers\ctoss2k.sys
Loaded driver \SystemRoot\System32\drivers\ctprxy2k.sys
Loaded driver \SystemRoot\system32\drivers\ctaud2k.sys
Loaded driver \SystemRoot\system32\drivers\dmx6fire.sys
Loaded driver \SystemRoot\system32\drivers\dmxsens.sys
Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\System32\DRIVERS\serial.sys
Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\parport.sys
Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\System32\DRIVERS\psched.sys
Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\System32\DRIVERS\update.sys
Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\DRIVERS\NVENETFD.sys
Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Loaded driver \SystemRoot\System32\Drivers\LHidUsb.Sys
Loaded driver \SystemRoot\system32\DRIVERS\LHidFlt2.Sys
Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\system32\DRIVERS\LMouFlt2.Sys
Loaded driver \SystemRoot\system32\DRIVERS\1687683.sys
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ehdrv.sys
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\epfwtdir.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\16876831.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\eamon.sys
Loaded driver \SystemRoot\System32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\drivers\BrPar.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\System32\DRIVERS\ipfltdrv.sys
Loaded driver \SystemRoot\System32\DRIVERS\srv.sys
Loaded driver \SystemRoot\System32\DRIVERS\secdrv.sys
Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Edited by DaveGK, 16 January 2010 - 10:48 AM.


#38 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 16 January 2010 - 10:28 AM

Kapersky detected Rootkit.Win32.TDSS.d in System Memory. It offered to restart my computer and try to remove it; I told it not to do that at this time. I couldn't find the button to save the Kapersky log. Here's a screencap of the report window when the scan completed:
Attached File  kaper.jpg   160.65KB   13 downloads

#39 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 16 January 2010 - 10:43 AM

Flipping through the tabs in GMER, I found the following:

Under modules:
16876832.sys
16876831.sys

One of these may have been the [bunch of numbers].sys I saw when I tried booting into Safe Mode, but I'm not sure about that.

They also appear in the Services tab, and 16876832.sys has the description "16876832 Boot Guard". 16876831.sys has no description except "16876831".

GMER lists both files as being in the system32\DRIVERS\ directory

Here's the GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-16 09:47:36
Windows 5.1.2600 Service Pack 3
Running: y9qf6x24.exe; Driver: C:\DOCUME~1\David\LOCALS~1\Temp\fxtdypob.sys


---- System - GMER 1.0.15 ----

SSDT 861C28A0 ZwAssignProcessToJobObject
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75CC87E]
SSDT 861C1CB0 ZwOpenProcess
SSDT 861C20D0 ZwOpenThread
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75CCBFE]
SSDT 861C26D0 ZwSuspendProcess
SSDT 861C24F0 ZwSuspendThread
SSDT 861C1EE0 ZwTerminateProcess
SSDT 861C2310 ZwTerminateThread

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

---- Threads - GMER 1.0.15 ----

Thread System [4:392] 861C0930

---- EOF - GMER 1.0.15 ----

#40 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 16 January 2010 - 10:44 AM

And the mbam log:

Malwarebytes' Anti-Malware 1.44
Database version: 3576
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/16/2010 10:04:10 AM
mbam-log-2010-01-16 (10-04-10).txt

Scan type: Quick Scan
Objects scanned: 118684
Time elapsed: 7 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#41 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:58 AM

Posted 17 January 2010 - 07:48 AM

Hi,

Please run the Kaspersky removal tool again this time allow it to delete what it finds and reboot if necessary and post a log
or screen shot if you can get one.

Thanks

unite.jpg


#42 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 17 January 2010 - 04:36 PM

Here are the results. When Kapersky detected the rootkit in memory, it stopped the scan it was doing and did a different type of scan. I've posted the log for both scans. Turns out the trick is to right click on the results in the report window and pick "Select All" then "Copy." Also, when Kapersky restarted my computer at the end of the scan of active threats, I got a Windows dialog warning me that a Logitech DLL wasn't a valid Windows image and I should compare it against my installation disk. I didn't quite catch the name of the DLL in the dialog box before Windows restarted. I'm sure I still have the Logitech installation disk that came with my mouse, but I'm not sure where it is. Also, I may be running a more recent version of the software/drivers I got off Logitech's site rather than the version that came with the disk. The message in the dialog box about the DLL not being a valid Windows image doesn't appear to have been logged in any of the Windows event logs.

Autoscan: completed 2 days ago (events: 20, objects: 435020, time: 01:52:25)
Autoscan: stopped 24 minutes ago (events: 11, objects: 138915, time: 00:43:40)
1/17/2010 15:28:23 Task started
1/17/2010 15:30:51 Processing error C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\Davidhttpus.mg2.mail.y-00000001.pst Read error
1/17/2010 15:33:13 Detected: http://www.viruslist.com/en/advisories/37584 C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll
1/17/2010 15:38:57 Detected: http://www.viruslist.com/en/advisories/34326 C:\Program Files\Garmin GPS Plugin\npGarmin.dll
1/17/2010 15:46:38 Detected: http://www.viruslist.com/en/advisories/23841 C:\Program Files\SecureCRT\SecureCRT.EXE
1/17/2010 16:07:50 Detected: http://www.viruslist.com/en/advisories/37584 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
1/17/2010 16:09:29 Detected: Rootkit.Win32.TDSS.d Unknown application
1/17/2010 16:09:29 Cannot be backed up: Rootkit.Win32.TDSS.d Unknown application
1/17/2010 16:10:38 Detected: http://www.viruslist.com/en/advisories/37690 C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
1/17/2010 16:11:47 Detected: Rootkit.Win32.TDSS.d System Memory
1/17/2010 16:12:03 Task stopped
Disinfect active threats: completed 19 minutes ago (events: 11, objects: 4158, time: 00:04:48)
1/17/2010 16:12:02 Task started
1/17/2010 16:12:02 Detected: Rootkit.Win32.TDSS.d System Memory
1/17/2010 16:12:04 Detected: Rootkit.Win32.TDSS.y Unknown application
1/17/2010 16:12:04 Cannot be backed up: Rootkit.Win32.TDSS.y Unknown application
1/17/2010 16:12:05 Disinfected: Rootkit.Win32.TDSS.d System Memory
1/17/2010 16:12:05 Disinfected: Rootkit.Win32.TDSS.d System Memory
1/17/2010 16:14:07 Detected: Rootkit.Win32.TDSS.y C:\WINDOWS\System32\drivers\kav_nvatabus.sys
1/17/2010 16:14:08 Disinfected: Rootkit.Win32.TDSS.y C:\WINDOWS\System32\drivers\kav_nvatabus.sys
1/17/2010 16:14:09 Disinfected: Rootkit.Win32.TDSS.y C:\WINDOWS\System32\drivers\kav_nvatabus.sys
1/17/2010 16:14:34 Detected: http://www.viruslist.com/en/advisories/37690 C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
1/17/2010 16:16:50 Task completed

Edited by DaveGK, 17 January 2010 - 04:37 PM.


#43 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 18 January 2010 - 01:06 AM

I ran another Kapersky scan, and it didn't detect the root kit:

Autoscan: completed 6 hours ago (events: 13, objects: 296237, time: 01:29:32)
1/17/2010 16:50:06 Task started
1/17/2010 16:53:51 Processing error C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\Davidhttpus.mg2.mail.y-00000001.pst Read error
1/17/2010 16:57:43 Detected: http://www.viruslist.com/en/advisories/37584 C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll
1/17/2010 17:03:59 Detected: http://www.viruslist.com/en/advisories/34326 C:\Program Files\Garmin GPS Plugin\npGarmin.dll
1/17/2010 17:11:31 Detected: http://www.viruslist.com/en/advisories/23841 C:\Program Files\SecureCRT\SecureCRT.EXE
1/17/2010 17:29:20 Detected: http://www.viruslist.com/en/advisories/37584 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
1/17/2010 17:32:11 Detected: http://www.viruslist.com/en/advisories/37690 C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
1/17/2010 17:36:18 Processing error C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\Davidhttpus.mg2.mail.y-00000001.pst Read error
1/17/2010 17:38:43 Detected: http://www.viruslist.com/en/advisories/37584 C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll
1/17/2010 17:45:00 Detected: http://www.viruslist.com/en/advisories/34326 C:\Program Files\Garmin GPS Plugin\npGarmin.dll
1/17/2010 17:52:37 Detected: http://www.viruslist.com/en/advisories/23841 C:\Program Files\SecureCRT\SecureCRT.EXE
1/17/2010 18:10:28 Detected: http://www.viruslist.com/en/advisories/37584 C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
1/17/2010 18:19:38 Task completed

#44 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 18 January 2010 - 01:54 AM

Trying to do the full RootRepeal scan still locks up my system. Doing some experimenting, I found out that trying to run the report with any of Files, Hidden Services, or Shadow SSDT checked would cause my system to freeze up. So here's the RootRepal Report with just Drivers, Processes, SSDT, and Stealth Objects checked:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/18 01:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xF757C000 Size: 57344 File Visible: - Signed: Yes
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF742D000 Size: 187776 File Visible: - Signed: Yes
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: Yes
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA9285000 Size: 138496 File Visible: - Signed: Yes
Status: -

Name: AmdPPM.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdPPM.sys
Address: 0xF771C000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF73BF000 Size: 96512 File Visible: - Signed: Yes
Status: -

Name: ati2cqag.dll
Image Path: C:\WINDOWS\System32\ati2cqag.dll
Address: 0xBF058000 Size: 499712 File Visible: - Signed: No
Status: -

Name: ati2dvag.dll
Image Path: C:\WINDOWS\System32\ati2dvag.dll
Address: 0xBF012000 Size: 286720 File Visible: - Signed: No
Status: -

Name: ati2mtag.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
Address: 0xF609B000 Size: 4227072 File Visible: - Signed: No
Status: -

Name: ati3duag.dll
Image Path: C:\WINDOWS\System32\ati3duag.dll
Address: 0xBF16B000 Size: 3125248 File Visible: - Signed: No
Status: -

Name: atikvmag.dll
Image Path: C:\WINDOWS\System32\atikvmag.dll
Address: 0xBF0D2000 Size: 450560 File Visible: - Signed: No
Status: -

Name: atiok3x2.dll
Image Path: C:\WINDOWS\System32\atiok3x2.dll
Address: 0xBF140000 Size: 176128 File Visible: - Signed: No
Status: -

Name: ativvaxx.dll
Image Path: C:\WINDOWS\System32\ativvaxx.dll
Address: 0xBF466000 Size: 1667072 File Visible: - Signed: No
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: Yes
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xF7B6F000 Size: 3072 File Visible: - Signed: Yes
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7A92000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF796C000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: BrPar.sys
Image Path: C:\WINDOWS\System32\drivers\BrPar.sys
Address: 0xF12D5000 Size: 18400 File Visible: - Signed: No
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xA4766000 Size: 63744 File Visible: - Signed: Yes
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xF772C000 Size: 62976 File Visible: - Signed: Yes
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xF75BC000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF75AC000 Size: 36352 File Visible: - Signed: Yes
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF73D7000 Size: 153344 File Visible: - Signed: Yes
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF7A60000 Size: 5888 File Visible: - Signed: Yes
Status: -

Name: dmx6fire.sys
Image Path: C:\WINDOWS\system32\drivers\dmx6fire.sys
Address: 0xF5ED4000 Size: 86400 File Visible: - Signed: No
Status: -

Name: dmxsens.sys
Image Path: C:\WINDOWS\system32\drivers\dmxsens.sys
Address: 0xF5E71000 Size: 403968 File Visible: - Signed: No
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF777C000 Size: 61440 File Visible: - Signed: Yes
Status: -

Name: dump_nvatabus.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvatabus.sys
Address: 0xA3AF7000 Size: 81920 File Visible: No Signed: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A7E000 Size: 8192 File Visible: No Signed: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA5EDB000 Size: 12288 File Visible: - Signed: Yes
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: Yes
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7C1F000 Size: 4096 File Visible: - Signed: Yes
Status: -

Name: eamon.sys
Image Path: C:\WINDOWS\system32\DRIVERS\eamon.sys
Address: 0xA181A000 Size: 835584 File Visible: - Signed: Yes
Status: -

Name: ehdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ehdrv.sys
Address: 0xAA7B9000 Size: 118784 File Visible: - Signed: Yes
Status: -

Name: epfwtdir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
Address: 0xA92A7000 Size: 102400 File Visible: - Signed: Yes
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xF7924000 Size: 27392 File Visible: - Signed: Yes
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF6539000 Size: 44544 File Visible: - Signed: Yes
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys
Address: 0xF1673000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF738B000 Size: 129792 File Visible: - Signed: Yes
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7A90000 Size: 7936 File Visible: - Signed: Yes
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF73FD000 Size: 125056 File Visible: - Signed: Yes
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF7914000 Size: 21120 File Visible: - Signed: Yes
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806D0000 Size: 131840 File Visible: - Signed: Yes
Status: -

Name: hcwPVRP2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys
Address: 0xF5FC2000 Size: 806464 File Visible: - Signed: No
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDCLASS.SYS
Address: 0xF14B8000 Size: 36864 File Visible: - Signed: Yes
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDPARSE.SYS
Address: 0xF1663000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0x9FEEA000 Size: 264832 File Visible: - Signed: Yes
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xF779C000 Size: 52480 File Visible: - Signed: Yes
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF775C000 Size: 42112 File Visible: - Signed: Yes
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
Address: 0xA156F000 Size: 32896 File Visible: - Signed: Yes
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xA91C4000 Size: 152832 File Visible: - Signed: Yes
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xA9341000 Size: 75264 File Visible: - Signed: Yes
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF755C000 Size: 37248 File Visible: - Signed: Yes
Status: -

Name: kav_nvatabus.sys
Image Path: kav_nvatabus.sys
Address: 0xF73AB000 Size: 79360 File Visible: - Signed: No
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xF792C000 Size: 24576 File Visible: - Signed: Yes
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A5C000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0x9FBEF000 Size: 172416 File Visible: - Signed: Yes
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xF64A3000 Size: 143360 File Visible: - Signed: Yes
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7362000 Size: 92928 File Visible: - Signed: Yes
Status: -

Name: Lbd.sys
Image Path: Lbd.sys
Address: 0xF75CC000 Size: 57600 File Visible: - Signed: Yes
Status: -

Name: LHidFlt2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
Address: 0xF165B000 Size: 24320 File Visible: - Signed: Yes
Status: -

Name: LHidUsb.Sys
Image Path: C:\WINDOWS\System32\Drivers\LHidUsb.Sys
Address: 0xF14C8000 Size: 33504 File Visible: - Signed: Yes
Status: -

Name: LMouFlt2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
Address: 0xF14A8000 Size: 63328 File Visible: - Signed: Yes
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AA8000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xF794C000 Size: 23040 File Visible: - Signed: Yes
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xF18CA000 Size: 12160 File Visible: - Signed: Yes
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF758C000 Size: 42368 File Visible: - Signed: Yes
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xA14B2000 Size: 180608 File Visible: - Signed: Yes
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xA91EA000 Size: 455296 File Visible: - Signed: Yes
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF795C000 Size: 19072 File Visible: - Signed: Yes
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xF6579000 Size: 35072 File Visible: - Signed: Yes
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xF7A1C000 Size: 15488 File Visible: - Signed: Yes
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF728E000 Size: 105344 File Visible: - Signed: Yes
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF72A8000 Size: 182656 File Visible: - Signed: Yes
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xF7A04000 Size: 10112 File Visible: - Signed: Yes
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xF2EE1000 Size: 14592 File Visible: - Signed: Yes
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xF5E46000 Size: 91520 File Visible: - Signed: Yes
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF16E2000 Size: 40576 File Visible: - Signed: Yes
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xF6559000 Size: 34688 File Visible: - Signed: Yes
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xA92C0000 Size: 162816 File Visible: - Signed: Yes
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7964000 Size: 30848 File Visible: - Signed: Yes
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF72D5000 Size: 574976 File Visible: - Signed: Yes
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: Yes
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xEEFF4000 Size: 2944 File Visible: - Signed: Yes
Status: -

Name: nv_agp.sys
Image Path: nv_agp.sys
Address: 0xF77F4000 Size: 21760 File Visible: - Signed: Yes
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\NVENETFD.sys
Address: 0xF1528000 Size: 33280 File Visible: - Signed: Yes
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nvnetbus.sys
Address: 0xF79F0000 Size: 12928 File Visible: - Signed: Yes
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NVNRM.SYS
Address: 0xF774C000 Size: 57344 File Visible: - Signed: Yes
Status: -

Name: NVSNPU.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NVSNPU.SYS
Address: 0xF64C6000 Size: 192512 File Visible: - Signed: Yes
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF756C000 Size: 61696 File Visible: - Signed: Yes
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys
Address: 0xF5E5D000 Size: 80128 File Visible: - Signed: Yes
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF77E4000 Size: 19712 File Visible: - Signed: Yes
Status: -

Name: ParVdm.SYS
Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS
Address: 0xA4054000 Size: 6784 File Visible: - Signed: Yes
Status: -

Name: pavboot.sys
Image Path: pavboot.sys
Address: 0xF77EC000 Size: 21888 File Visible: - Signed: Yes
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF741C000 Size: 68224 File Visible: - Signed: Yes
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7B24000 Size: 3328 File Visible: - Signed: Yes
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xF77DC000 Size: 28672 File Visible: - Signed: Yes
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: Yes
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF5F1F000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xF5E35000 Size: 69120 File Visible: - Signed: Yes
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xF793C000 Size: 17792 File Visible: - Signed: Yes
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF75DC000 Size: 35712 File Visible: - Signed: Yes
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xF1204000 Size: 8832 File Visible: - Signed: Yes
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xF65A9000 Size: 51328 File Visible: - Signed: Yes
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xF6599000 Size: 41472 File Visible: - Signed: Yes
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xF6589000 Size: 48384 File Visible: - Signed: Yes
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xF7944000 Size: 16512 File Visible: - Signed: Yes
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: Yes
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xA925A000 Size: 175744 File Visible: - Signed: Yes
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7AAA000 Size: 4224 File Visible: - Signed: Yes
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdpdr.sys
Address: 0xF5E05000 Size: 196224 File Visible: - Signed: Yes
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xF773C000 Size: 57600 File Visible: - Signed: Yes
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA0850000 Size: 49152 File Visible: No Signed: No
Status: -

Name: secdrv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\secdrv.sys
Address: 0xA3B0B000 Size: 40960 File Visible: - Signed: Yes
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xF7A00000 Size: 15744 File Visible: - Signed: Yes
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xF778C000 Size: 64512 File Visible: - Signed: Yes
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF7379000 Size: 73472 File Visible: - Signed: Yes
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xA1230000 Size: 333952 File Visible: - Signed: Yes
Status: -

Name: STREAM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\STREAM.SYS
Address: 0xF776C000 Size: 53248 File Visible: - Signed: Yes
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xF7AC6000 Size: 4352 File Visible: - Signed: Yes
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xF318C000 Size: 60800 File Visible: - Signed: Yes
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xA92E8000 Size: 361600 File Visible: - Signed: Yes
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xF7934000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xF6569000 Size: 40704 File Visible: - Signed: Yes
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xF5DA7000 Size: 384768 File Visible: - Signed: Yes
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xF7A8E000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF790C000 Size: 30208 File Visible: - Signed: Yes
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xF16D2000 Size: 59520 File Visible: - Signed: Yes
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xF7904000 Size: 17152 File Visible: - Signed: Yes
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xF64F5000 Size: 147456 File Visible: - Signed: Yes
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF7954000 Size: 20992 File Visible: - Signed: Yes
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6087000 Size: 81920 File Visible: - Signed: Yes
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF759C000 Size: 52352 File Visible: - Signed: Yes
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xF6529000 Size: 34560 File Visible: - Signed: Yes
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xA4615000 Size: 20480 File Visible: - Signed: Yes
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA17B5000 Size: 83072 File Visible: - Signed: Yes
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: Yes
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: Yes
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS
Address: 0xF7A5E000 Size: 8192 File Visible: - Signed: Yes
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2066048 File Visible: - Signed: Yes
Status: -

Processes
-------------------
PathSystem
PID: 4 Status: -

PathC:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
PID: 240 Status: -

PathC:\WINDOWS\system32\wuauclt.exe
PID: 260 Status: -

PathC:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
PID: 308 Status: -

PathC:\Program Files\Itiva\Itiva Media Accelerator\ItivaMediaAccelerator.exe
PID: 320 Status: -

PathC:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
PID: 396 Status: -

PathC:\WINDOWS\system32\Ctxfihlp.exe
PID: 420 Status: -

PathC:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
PID: 428 Status: -

PathC:\WINDOWS\CTHELPER.EXE
PID: 436 Status: -

PathC:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
PID: 448 Status: -

PathC:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 540 Status: -

PathC:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
PID: 564 Status: -

PathC:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PID: 576 Status: -

PathC:\WINDOWS\system32\smss.exe
PID: 596 Status: -

PathC:\Program Files\iTunes\iTunesHelper.exe
PID: 628 Status: -

PathC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
PID: 648 Status: -

PathC:\WINDOWS\system32\csrss.exe
PID: 668 Status: -

PathC:\WINDOWS\system32\winlogon.exe
PID: 700 Status: -

PathC:\WINDOWS\system32\services.exe
PID: 744 Status: -

PathC:\WINDOWS\system32\lsass.exe
PID: 756 Status: -

PathC:\Program Files\Java\jre6\bin\jusched.exe
PID: 760 Status: -

PathC:\WINDOWS\system32\ati2evxx.exe
PID: 912 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 924 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1008 Status: -

PathC:\Program Files\Messenger\msmsgs.exe
PID: 1056 Status: -

PathC:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
PID: 1080 Status: -

PathC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
PID: 1088 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1100 Status: -

PathC:\WINDOWS\system32\wscntfy.exe
PID: 1136 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1156 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1244 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 1280 Status: -

PathC:\Program Files\SqueezeCenter\SqueezeTray.exe
PID: 1288 Status: -

PathC:\WINDOWS\system32\ati2evxx.exe
PID: 1348 Status: -

PathC:\Program Files\Windows Desktop Search\WindowsSearch.exe
PID: 1464 Status: -

PathC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PID: 1488 Status: -

PathC:\WINDOWS\system32\BRSVC01A.EXE
PID: 1584 Status: -

PathC:\WINDOWS\system32\spoolsv.exe
PID: 1608 Status: -

PathC:\WINDOWS\system32\BRSS01A.EXE
PID: 1620 Status: -

PathC:\Program Files\Bonjour\mDNSResponder.exe
PID: 1664 Status: -

PathC:\Program Files\Executive Software\Diskeeper\DkService.exe
PID: 1716 Status: -

PathC:\Program Files\Creative\Shared Files\CTAudSvc.exe
PID: 1784 Status: -

PathC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
PID: 1820 Status: -

PathC:\WINDOWS\explorer.exe
PID: 2004 Status: -

PathC:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
PID: 2104 Status: -

PathC:\Program Files\Java\jre6\bin\jqs.exe
PID: 2172 Status: -

PathC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
PID: 2204 Status: -

PathC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 2220 Status: -

PathC:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
PID: 2340 Status: -

PathC:\PROGRA~1\SQUEEZ~1\server\SQUEEZ~1.EXE
PID: 2364 Status: -

PathC:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
PID: 2408 Status: -

PathC:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
PID: 3604 Status: -

PathC:\WINDOWS\system32\PSIService.exe
PID: 3636 Status: -

PathC:\PROGRA~1\SQUEEZ~1\server\Bin\MSWIN3~1\mysqld.exe
PID: 3760 Status: -

PathC:\WINDOWS\system32\wdfmgr.exe
PID: 3812 Status: -

PathC:\WINDOWS\system32\MsPMSPSv.exe
PID: 3964 Status: -

PathC:\WINDOWS\system32\searchindexer.exe
PID: 3976 Status: -

PathC:\Program Files\iPod\bin\iPodService.exe
PID: 4028 Status: -

PathC:\WINDOWS\system32\alg.exe
PID: 4328 Status: -

PathC:\WINDOWS\system32\searchprotocolhost.exe
PID: 4336 Status: -

PathC:\WINDOWS\system32\searchfilterhost.exe
PID: 4556 Status: -

PathC:\WINDOWS\system32\svchost.exe
PID: 4784 Status: -

PathC:\Documents and Settings\David\Desktop\RootRepeal.exe
PID: 5480 Status: -

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 041 Function Name: NtCreateKey
Status: Not hooked

#: 122 Function Name: NtOpenProcess
Status: Not hooked

#: 128 Function Name: NtOpenThread
Status: Not hooked

#: 247 Function Name: NtSetValueKey
Status: Not hooked

#: 253 Function Name: NtSuspendProcess
Status: Not hooked

#: 254 Function Name: NtSuspendThread
Status: Not hooked

#: 257 Function Name: NtTerminateProcess
Status: Not hooked

#: 258 Function Name: NtTerminateThread
Status: Not hooked

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x87112270]
Process: System Address: 0x8622e930 Size: 1000

==EOF==

#45 DaveGK

DaveGK
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:06:58 PM

Posted 18 January 2010 - 02:19 AM

I should mention I uninstalled the Kapersky tool right after running that last Kapersky scan (so before I ran RootReal). When I uninstalled the Kapersky tool, I saw at least one of 16876832.sys or 16876831.sys get uninstalled.

Also, I can boot into Safe Mode now. I'm not sure if that's because I uninstalled the Kapersky tool or because the Kapersky tool cleaned the rootkit it found.

Edited by DaveGK, 18 January 2010 - 02:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users