Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistant Browser Hijack


  • This topic is locked This topic is locked
35 replies to this topic

#1 Anderwolf

Anderwolf

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 03 February 2010 - 04:15 PM

I have edited this post so that it contains the proper logs for this forum.


Hello. I have a very stubborn version of what I think is a browser hijacking virus. I've dealt with these types of viruses before so I have already went through many of the steps. However the problem still persists. Ill start with the symptoms.

1. Computer runs VERY slow.
2. Mcafee Seceruty Suite disabled and unable to be turned on.
3. Browser redirecting when trying to access any antivirus websites.

These are the things I've already tried

First I did a Hijack this scan and removed a number of things that I recognized as problems.
After that I did a scan with malwarebytes which also picked up a great number of "infections". I removed them.
Then I also deleted the brand new files from the System32 folder, as well as a pretend antivirus program that appeared on the computer called ParetoLogic.
Next I tried a system restore, which seemed to work at first, but the symptoms came back even worse.
Finally I tried the combofix, which also seemed to work because the computer ran a bit faster after that. After restarting from the combofix I removed Mcafee and got AVG free. Restarted the computer once more and everything seemed ok until I tried another few google searches for combofix and the Browser redirecting happened again. When I am being redireced, the info bar at the top always says "SearchEngine4.com" So I assume that has something to do with the specific trojan/virus I have. I hope this helps and I am including the DDS log and the RootRepeal logs. Thank you in advance for any help !

Anderwolf

Edit: Just did a scan with AVG, it found a trojan. Here is the info it gives about it:

Scan "Scan specific files or folders" was finished.
Infections;"1";"0";"1"
Folders selected for scanning:;"C:\Temp\;C:\WINDOWS\;"
Scan started:;"Wednesday, February 03, 2010, 3:22:42 PM"
Scan finished:;"Wednesday, February 03, 2010, 3:44:08 PM (21 minute(s) 25 second(s))"
Total object scanned:;"59253"
User who launched the scan:;"Michael Goehring"

Infections
File;"Infection";"Result"
C:\WINDOWS\system32\drivers\fips.sys;"Trojan horse BackDoor.Generic12.AAVT";"Object is white-listed (critical/system file that should not be removed)"


DDS LOG

DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael Goehring at 16:17:05.37 on Wed 02/03/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.73 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\ccs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michael Goehring\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-3 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-3 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-3 360584]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-3 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-13 133104]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 AmDriver;AmDriver;c:\windows\system32\AmDriver.sys [2007-1-9 8192]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;c:\windows\system32\drivers\csco21.sys [2007-1-9 486272]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 WS350;WireScope350 USB Communication;c:\windows\system32\drivers\usbscan.sys [2006-2-19 15104]

=============== Created Last 30 ================

2010-02-03 20:23:34 0 d--h--w- C:\$AVG
2010-02-03 20:23:16 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-03 20:23:15 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-03 20:23:08 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-03 20:22:49 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-03 20:22:45 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-02-03 20:22:19 0 d-----w- c:\program files\AVG
2010-02-03 20:22:17 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-02-03 19:06:47 0 d-sha-r- C:\cmdcons
2010-02-03 19:05:47 98816 ----a-w- c:\windows\sed.exe
2010-02-03 19:05:47 77312 ----a-w- c:\windows\MBR.exe
2010-02-03 19:05:47 261632 ----a-w- c:\windows\PEV.exe
2010-02-03 19:05:47 161792 ----a-w- c:\windows\SWREG.exe
2010-02-02 23:20:10 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-02 23:18:25 0 d-----w- c:\program files\Fast Browser SearchP
2010-02-01 20:12:12 54016 ----a-w- c:\windows\system32\drivers\wiyyep.sys
2010-02-01 19:52:45 0 d-----w- c:\docume~1\michae~1\applic~1\Malwarebytes
2010-02-01 19:52:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-01 19:52:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-01 19:52:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 19:52:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-01 01:08:12 3560 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-02-01 01:08:12 18740 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-02-01 01:08:12 15648 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-02-01 01:08:12 1318944 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-13 20:16:58 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-09-05 13:24:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 16:17:45.15 ===============







ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/02/03 16:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF745B000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: disk.sys
Image Path: disk.sys
Address: 0xF7560000 Size: 36352 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2689000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A44000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF75B0000 Size: 44544 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEFC9C000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Cookies\forum56[1].htm
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\Grywalsky 1 complete.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\Thedinga2pic.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\Stoughton maintenance 1.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\none 023.jpg:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\Thedinga2pic.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\railing style 3.jpg:Zone.Identifier
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\work and personal pics dec 08 071.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\work and personal pics dec 08 008.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\may 26th pics through Janisch 114.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\may 26th pics through Janisch 106.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\recent work pics\Smith deck pics\railing style 4.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\two tone deck pics\Grywalsky 1 before.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\two tone deck pics\Grywalsky 1 complete.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\two tone deck pics\Kallstrand 3 complete.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\two tone deck pics\Kallstrand 4 before.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\to customer pics\two tone deck pics\Kallstrand 4 complete.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\work picks 1\Mihale pics\cedar one coat.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\work picks 1\Mihale pics\railing style 3.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\work picks 1\nonsent work pics\cedar with two tone one coat.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\deck and painting\recent estimate stuff\Berkson projects\to Berkson\mom and dads 4.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Desktop\Michael's stuff\work\deck and painting\recent estimate stuff\Berkson projects\to Berkson\mom and dads 8.jpg
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Michael Goehring\Local Settings\Application Data\Microsoft\Messenger\anderwolf@hotmail.com\SharingMetadata\def_prophet@hotmail.com\DFSR\Staging\CS{A955C1DF-10DB-438D-0D09-99953618F3A8}\91\91-{D4~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Michael Goehring\Local Settings\Application Data\Microsoft\Messenger\anderwolf@hotmail.com\SharingMetadata\def_prophet@hotmail.com\DFSR\Staging\CS{A955C1DF-10DB-438D-0D09-99953618F3A8}\93\93-{D4~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x84e21020]
Process: System Address: 0xf77e393a Size: 200

==EOF==

Attached Files


Edited by Anderwolf, 03 February 2010 - 05:59 PM.


BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:38 PM

Posted 10 February 2010 - 12:39 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 11 February 2010 - 04:24 PM

Hello and thank you for your response! Here are the fresh logs you requested.



DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael Goehring at 13:33:41.46 on Thu 02/11/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.179 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ccs.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NBC Direct\DirectPlayerCore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Documents and Settings\Michael Goehring\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = localhost;*.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [DirectPlayerCore] "c:\program files\nbc direct\DirectPlayerCore.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TFncKy] TFncKy.exe
mRun: [pdfFactory Dispatcher v2] c:\windows\system32\spool\drivers\w32x86\3\fppdis2a.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-3 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-3 28424]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-3 360584]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-7-7 611664]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-2-3 285392]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-13 133104]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 AmDriver;AmDriver;c:\windows\system32\AmDriver.sys [2007-1-9 8192]
S3 CSCO21;Cisco Aironet 802.11a/b/g Wireless Adapter Service;c:\windows\system32\drivers\csco21.sys [2007-1-9 486272]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 WS350;WireScope350 USB Communication;c:\windows\system32\drivers\usbscan.sys [2006-2-19 15104]

=============== Created Last 30 ================


==================== Find3M ====================

2010-02-05 20:21:34 2420 ----a-w- c:\docume~1\michae~1\applic~1\wklnhst.dat
2010-01-05 10:00:29 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2008-09-05 13:24:04 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090520080906\index.dat

============= FINISH: 13:34:18.01 ===============






GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-11 15:19:18
Windows 5.1.2600 Service Pack 3
Running: novrfpg0.exe; Driver: C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\kwliqpow.sys


---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\lsass.exe[624] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1044] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1060] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1116] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1504] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1620] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1744] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1744] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\NBC Direct\DirectPlayerCore.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\NBC Direct\DirectPlayerCore.exe[2880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[3664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[3664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 F77DABDE
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module \SystemRoot\System32\Drivers\Fips.SYS (*** hidden *** ) F77D8000-F77E0000 (32768 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:464] F77DB93A
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [624] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [880] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [924] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1044] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1060] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1116] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1504] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1620] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1744] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\NBC Direct\DirectPlayerCore.exe [2880] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [3664] 0x35670000

---- EOF - GMER 1.0.15 ----

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:38 PM

Posted 13 February 2010 - 12:34 PM

Hi,

XP

You must first verify that you can logon to the Windows Recovery Console.
To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console


Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat




You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 14 February 2010 - 12:54 PM

here is the requested log. Thanks again!



Run from C:\Documents and Settings\Michael Goehring\Desktop\maxlook.exe on Sun 02/14/2010 at 11:43:04.51

No infected file found

Rogue configuration file = C:\WINDOWS\system32\config\noo8htfn.sav



#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:38 PM

Posted 15 February 2010 - 09:59 AM

Hi,

Please post back with a fresh Gmer logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 16 February 2010 - 07:25 PM

here is the fresh GMER log
Thanks again!!!



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-16 18:15:56
Windows 5.1.2600 Service Pack 3
Running: novrfpg0.exe; Driver: C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\kwliqpow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text srv.sys EF2BE38D 2 Bytes [58, BA]
.text srv.sys EF2BE3AF 3 Bytes [94, DD, 2C]
.text srv.sys EF2BE3C4 3 Bytes JMP EA08EF2C
.text srv.sys EF2BE3C8 3 Bytes JMP 0F56EF2C
.text srv.sys EF2BE3CF 2 Bytes [F8, 32]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\srv.sys[HAL.dll!KfReleaseSpinLock] FFF18B57
IAT \SystemRoot\system32\DRIVERS\srv.sys[HAL.dll!KfAcquireSpinLock] 2CBA4815
IAT \SystemRoot\system32\DRIVERS\srv.sys[HAL.dll!KfLowerIrql] 044EFFEF
IAT \SystemRoot\system32\DRIVERS\srv.sys[HAL.dll!KfRaiseIrql] 840FCF8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[HAL.dll!KeGetCurrentIrql] 0000D1C4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!QueryContextAttributesW] [EF2CBA44] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!FreeContextBuffer] 00046083
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!MapSecurityError] FF08488D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!ImpersonateSecurityContext] 77E9FC55
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!DeleteSecurityContext] 90FFFFFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!AcquireCredentialsHandleW] 90909090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!AddCredentialsW] 8B55FF8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!AcceptSecurityContext] 10EC83EC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!InitSecurityInterfaceW] 601D8B53
IAT \SystemRoot\system32\DRIVERS\srv.sys[ksecdd.sys!KSecValidateBuffer] 56EF2CEA
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExReleaseResourceLite] CB8BEF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExAcquireResourceExclusiveLite] D9580D2B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExfInterlockedRemoveHeadList] 8B57EF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlCompareUnicodeString] 2CE7A03D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUpcaseUnicodeChar] F84D89EF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeTickCount] E7AC0D8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlEqualUnicodeString] 0D2BEF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExAcquireResourceSharedLite] [EF2CD95C] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 152BD68B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] [EF2CD950] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUnicodeStringToOemString] 8BF84D2B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlxUnicodeStringToOemSize] 54052BC7
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlOemStringToUnicodeString] 89EF2CD9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlxOemStringToUnicodeSize] 2CD95035
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NlsMbOemCodePageTag] AC358BEF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeSetEvent] 89EF2CE7
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!InterlockedPushEntrySList] 2CD9543D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoFreeIrp] 33C22BEF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCheckDesiredAccess] 6AD73BFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlCopyUnicodeString] 581D8904
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeQuerySystemTime] 89EF2CD9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeUnstackDetachProcess] 2CD95C35
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeStackAttachProcess] F05589EF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoGetCurrentProcess] 89F44589
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwClose] BE5BFC4D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwQueryValueKey] C000009A
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwOpenKey] D49F850F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_wcsnicmp] C73B0000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwOpenFile] D4BA850F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtQueryInformationFile] 7D390000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlLengthSecurityDescriptor] D1850FF8
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtQueryVolumeInformationFile] 3B0000D4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInitializeTimer] E9850FCF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInitializeEvent] 5F0000D4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeWaitForSingleObject] C3C95B5E
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeReadStateEvent] 68B9C033
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeCancelTimer] 87EF2CD9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeSetTimer] 0FC33B01
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeClearEvent] 00CFB285
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeSetTargetProcessorDpc] FF4AE800
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInitializeDpc] 8CE9FFFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!wcslen] 90FFFFFD
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 90909090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoInitializeIrp] 8B55FF8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInsertQueue] 48A151EC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtWriteFile] 57EF2CE9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtReadFile] 35FF016A
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EF2CE940] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoGetRelatedDeviceObject] FFFC4589
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 2CBA4815
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] 38158BEF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!memmove] BFEF2CE9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUpperChar] [EF2CE938] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoWriteErrorLogEntry] 850FD73B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoAllocateErrorLogEntry] 0000DD39
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoDeleteDevice] E9400D8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExQueueWorkItem] 15FFEF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ObfReferenceObject] [EF2CBA44] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeLeaveCriticalRegion] 04C2C95F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeEnterCriticalRegion] A0458D00
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInsertHeadQueue] FFB6E850
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IofCallDriver] BCA1FFFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] A3EF2CD1
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!WmiGetClock] [EF2CD964] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoWMIWriteEvent] FFFCCFE9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IofCompleteRequest] 909090FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoQueueWorkItem] FF8B9090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoAllocateWorkItem] 83EC8B55
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeReadStateQueue] 565330EC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExAllocatePoolWithTagPriority] BF016A57
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ProbeForRead] [EF2CDCAC] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoWMIRegistrationControl] 4815FF57
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeQueryTimeIncrement] A1EF2CBA
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_except_handler3] [EF2CDAA8] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_allmul] DAAC0D8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeSinglePrivilegeCheck] 758BEF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeExports] 0BD08B08
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoFreeMdl] 5B006AD1
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoBuildPartialMdl] D3BD840F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmUnlockPages] 168B0000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmUnmapLockedPages] 468BD02B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlFreeOemString] 89C11B04
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtClose] 4589F055
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwSetValueKey] 2B068BF4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_wcsicmp] 2CDA5005
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PoUnregisterSystemState] 044E8BEF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmUnlockPagableImageSection] DA540D1B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlGetOwnerSecurityDescriptor] 4589EF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlGetDaclSecurityDescriptor] D44D89D0
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeRundownQueue] 15FFCF8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeDelayExecutionThread] [EF2CBA44] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PoRegisterSystemState] 4E8B068B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlSetOwnerSecurityDescriptor] 81D08B04
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlSetDaclSecurityDescriptor] 868C00C2
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlAddAccessAllowedAce] 13F98B47
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlCreateAcl] E47D89FB
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlLengthSid] 8BE05589
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlSubAuthoritySid] 5E00BAF8
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ObfDereferenceObject] FA03B2D0
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlLengthRequiredSid] D383D98B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlCreateSecurityDescriptor] 89C22B00
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInitializeQueue] 016AE87D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoFreeWorkItem] BF00D983
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!DbgBreakPoint] [EF2CDD1C] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlTimeToTimeFields] EC5D8957
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExSystemTimeToLocalTime] 89D84589
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlTimeFieldsToTime] 15FFDC4D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_alldiv] [EF2CBA48] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeBugCheckEx] E9181D8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlTimeToSecondsSince1970] FB81EF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!FsRtlDoesNameContainWildCards] [EF2CE918] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeGetCurrentThread] 438D4074
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoAllocateIrp] 017880E4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoQueueThreadIrp] FC458902
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmProbeAndLockPages] D338850F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoAllocateMdl] E8500000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmLockPagableDataSection] FFFFFDB1
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlEqualString] FFF845C7
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] 8D0000FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtDeviceIoControlFile] FF50F845
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwDeviceIoControlFile] 4CE8FC75
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwCreateFile] 85FFFEF4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCheckFunctionAccess] 084589C0
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!FsRtlMdlWriteCompleteDev] 8346850F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!FsRtlPrepareMdlWriteDev] 4D8B0000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!FsRtlMdlReadCompleteDev] E81B8BFC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!FsRtlMdlReadDev] FFFFFDB5
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoGetBaseFileSystemDeviceObject] CF8BB8EB
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCheckEaBufferValidity] BA4415FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlPrefixUnicodeString] 5E5FEF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtRequestWaitReplyPort] 04C2C95B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlNtStatusToDosErrorNoTeb] 90909000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCancelIrp] FF8B9090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlInitString] 80EC8B55
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoWriteTransferCount] 8B000C7D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoWriteOperationCount] 0F990845
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoReadTransferCount] 00CFC085
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoReadOperationCount] 68006A00
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoStatisticsLock] 00989680
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!wcscpy] 95E85052
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlIntegerToUnicodeString] 5DFFFEF4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlInt64ToUnicodeString] 900008C2
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] 90909090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoSetThreadHardErrorMode] 8B56FF8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!wcschr] 2CE79835
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_stricmp] 016A57EF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoFastQueryNetworkAttributes] 2CDCACBF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlSecondsSince1970ToTime] EEC157EF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCheckQuerySetFileInformation] 4815FF09
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUpcaseUnicodeStringToOemString] A1EF2CBA
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlFreeAnsiString] [EF2CEA74] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCheckQuerySetVolumeInformation] E8D3CE8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetVolumeInformationFile] 0F1EF883
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_allshr] 00D28A86
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetSecurityObject] 50006A00
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlValidRelativeSecurityDescriptor] FFFFA1E8
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtQuerySecurityObject] 5FCF8BFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtQueryQuotaInformationFile] 2CDA50A3
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetQuotaInformationFile] 541589EF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoGetStackLimits] 5EEF2CDA
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmSizeOfMdl] BA4425FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!wcscmp] 9090EF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlInitAnsiString] 8B909090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!FsRtlIsFatDbcsLegal] EC8B55FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlIsNameLegalDOS8Dot3] A16CEC83
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NlsOemLeadByteInfo] [EF2CD930] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUnicodeToOemN] 08758B56
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUpcaseUnicodeToOemN] 26830E8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeDetachProcess] 7E8B5700
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeAttachProcess] 04668304
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PsAssignImpersonationToken] 80CF0300
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeFreePrivileges] 89000C7D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlMapGenericMask] 1674FC45
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoSetFileOrigin] 850FC985
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeGetRecommendedSharedDataAlignment] 0000D5C8
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeNumberProcessors] 5FFC4D8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!_snwprintf] [F27AE85E] \SystemRoot\system32\DRIVERS\AGRSM.sys (SoftModem Device Driver/Agere Systems)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!toupper] C2C9FFFE
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlTimeToSecondsSince1980] 7E3B0008
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlValidSecurityDescriptor] E9ED760C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlVerifyVersionInfo] 0000D5C2
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!VerSetConditionMask] 8B55FF8B
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmIsThisAnNtAsSystem] C8EC81EC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PsCreateSystemThread] A1000000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeSetIdealProcessorThread] [EF2CD930] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationThread] 6A575653
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PsTerminateSystemThread] 39DB3308
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeRemoveQueue] 2CDB0C1D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlDestroyHeap] D6BE59EF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlAllocateHeap] 8DEF2CF4
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlFreeHeap] 4589DC7D
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlCreateHeap] 0FA5F3FC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtConnectPort] 00D28885
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateSection] FC4D8B00
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInitializeSpinLock] E85B5E5F
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExInitializeResourceLite] FFFEF230
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!InterlockedPopEntrySList] 005CC3C9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExDeleteResourceLite] 006F0044
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExAllocatePoolWithTag] 00440073
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!DbgPrint] 00760065
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExFreePoolWithTag] 00630069
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExLocalTimeToSystemTime] 00730065
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlCompareMemory] 0041005C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmMapLockedPages] 005C003A
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] CCCC0000
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CCCCCCCC
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtAllocateVirtualMemory] 90909090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtFreeVirtualMemory] 68006A90
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExfInterlockedAddUlong] [EF2CEA20] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlInitUnicodeString] FFFF42E8
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlUpcaseUnicodeString] 68016AFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlFreeUnicodeString] [EF2CEA30] \SystemRoot\system32\DRIVERS\srv.sys (Server driver/Microsoft Corporation)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeLockSubjectContext] FFFF36E8
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeQueryAuthenticationIdToken] FF7AE9FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeUnlockSubjectContext] 9090FFFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeCaptureSubjectContext] 8B909090
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeAccessCheck] EC8B55FF
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!SeReleaseSubjectContext] 560CEC83
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!RtlInitializeSid] 483D8B57
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!WmiTraceMessage] 6AEF2CBA
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwSetEvent] DD1CBE01
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwWaitForSingleObject] FF56EF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeResetEvent] E918A1D7
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeWaitForMultipleObjects] 183DEF2C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeInitializeSemaphore] 89EF2CE9
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwCreateEvent] 5B74FC45
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwMapViewOfSection] E4588D53
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwCreateSection] 02017B80
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!KeReleaseSemaphore] 0FF45D89
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ExfInterlockedInsertTailList] 009C3685
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwQuerySystemInformation] 6443F600
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PsGetCurrentThreadId] 2C850F01
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!PsGetCurrentProcessId] 5300009C
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!ZwCreateKey] FFFBDCE8
IAT \SystemRoot\system32\DRIVERS\srv.sys[TDI.SYS!TdiDeregisterPnPHandlers] F845C750
IAT \SystemRoot\system32\DRIVERS\srv.sys[TDI.SYS!TdiRegisterPnPHandlers] 0000FFFF
IAT \SystemRoot\system32\DRIVERS\srv.sys[TDI.SYS!TdiOpenNetbiosAddress] [F279E853] \SystemRoot\system32\DRIVERS\AGRSM.sys (SoftModem Device Driver/Agere Systems)
IAT \SystemRoot\system32\DRIVERS\srv.sys[TDI.SYS!TdiReturnChainedReceives] D88BFFFE
IAT \SystemRoot\system32\DRIVERS\srv.sys[TDI.SYS!TdiCopyBufferToMdl] 850FDB85
IAT \SystemRoot\system32\DRIVERS\srv.sys[WMILIB.SYS!WmiSystemControl] 8BFC458B
IAT \SystemRoot\system32\DRIVERS\srv.sys[WMILIB.SYS!WmiCompleteRequest] F44D8B00

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[344] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[344] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\alg.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\lsass.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\lsass.exe[628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[880] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[924] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1128] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1128] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1208] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[1628] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\Bonjour\mDNSResponder.exe[1736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\WINDOWS\system32\spoolsv.exe[1960] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\NBC Direct\DirectPlayerCore.exe[2812] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672CF1] \\74.117.114.86\max++.x86.dll
IAT C:\Program Files\NBC Direct\DirectPlayerCore.exe[2812] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672C7B] \\74.117.114.86\max++.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device ACPI.sys (ACPI Driver for NT/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Disk \GLOBAL??\C2CAD972#4079#4fd3#A68D#AD34CC121074 F77E2BDE
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Modules - GMER 1.0.15 ----

Module \SystemRoot\System32\Drivers\Fips.SYS (*** hidden *** ) F77E0000-F77E8000 (32768 bytes)

---- Threads - GMER 1.0.15 ----

Thread System [4:468] F77E393A
---- Processes - GMER 1.0.15 ----

Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [344] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [416] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [628] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [880] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [924] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1128] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1208] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1628] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1736] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1960] 0x35670000
Library \\74.117.114.86\max++.x86.dll (*** hidden *** ) @ C:\Program Files\NBC Direct\DirectPlayerCore.exe [2812] 0x35670000

---- EOF - GMER 1.0.15 ----


#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:38 PM

Posted 18 February 2010 - 01:09 PM

Please go to start > run and type:

maxlook -sig

and hit enter.

Note:

Be sure that you have internet connection. Please post back with the logfile which will open in notepad.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 18 February 2010 - 08:22 PM

Here is the new Maxlook log.
Thanks again!!



CODE
Run from C:\Documents and Settings\Michael Goehring\Desktop\maxlook.exe on Thu 02/18/2010 at 19:17:03.43

--------- maxlook unsigned files ---------

c:\windows\maxdriver\AegisP.sys:
    Verified:    Unsigned
    File date:    13:07 1/9/2007
    Publisher:    Meetinghouse Data Communications
    Description:    IEEE 802.1X Protocol Driver
    Product:    AEGIS Client 3.4.1.0
    Version:    3.4.1.0
    File version:    3.4.1.0
c:\windows\maxdriver\asctrm.sys:
    Verified:    Unsigned
    File date:    22:10 11/4/2005
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\maxdriver\CDAC15BA.SYS:
    Verified:    Unsigned
    File date:    14:33 3/30/2006
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\maxdriver\CSIIDecoder_kern_i386.sys:
    Verified:    Unsigned
    File date:    19:33 10/25/2005
    Publisher:    n/a
    Description:    SRS Labs CSII Decoder Kernel DLL
    Product:    SRS CSII Decoder for Windows XP
    Version:    3, 2, 0, 0
    File version:    1, 2, 0, 0
c:\windows\maxdriver\DLACDBHM.SYS:
    Verified:    Unsigned
    File date:    11:03 7/7/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.10.05a
c:\windows\maxdriver\DLARTL_N.SYS:
    Verified:    Unsigned
    File date:    11:02 7/7/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.10.05a
c:\windows\maxdriver\DRVMCDB.SYS:
    Verified:    Unsigned
    File date:    05:30 7/28/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver
    Product:    n/a
    Version:    n/a
    File version:    3.30.00Q
c:\windows\maxdriver\DRVNDDM.SYS:
    Verified:    Unsigned
    File date:    07:10 7/7/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver Manager
    Product:    n/a
    Version:    n/a
    File version:    5.10.04a
    Verified:    Invalid Signature
    Signing date:    12:33 4/13/2008
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\maxdriver\meiudf.sys:
    Verified:    Unsigned
    File date:    05:33 6/2/2005
    Publisher:    Matsubleepa Electric Industrial Co.,Ltd.
    Description:    DVD-RAM UDF File System Driver
    Product:    n/a
    Version:    n/a
    File version:    4.0.7.0
c:\windows\maxdriver\NBSMI.sys:
    Verified:    Unsigned
    File date:    16:03 10/20/2005
    Publisher:    Toshiba Corporation
    Description:    Toshiba Notebook PC SMI Driver
    Product:    Toshiba Notebook PC SMI Service
    Version:    1.0.0.11M
    File version:    1.0.0.11M built by: WinDDK
c:\windows\maxdriver\Netdevio.sys:
    Verified:    Unsigned
    File date:    16:35 1/29/2003
    Publisher:    TOSHIBA Corporation.
    Description:    Network Device Usermode I/O protocol
    Product:    TOSHIBA Network Device Usermode I/O protocol
    Version:    5.00.01.00
    File version:    Version 5.00.01.00 built by: WinDDK
c:\windows\maxdriver\pfc.sys:
    Verified:    Unsigned
    File date:    17:45 9/19/2003
    Publisher:    Padus, Inc.
    Description:    Padus(R) ASPI Shell
    Product:    Padus(R) ASPI Shell
    Version:    2, 5, 0, 204
    File version:    2, 5, 0, 204
c:\windows\maxdriver\pxhelp20.sys:
    Verified:    Unsigned
    File date:    11:21 10/3/2006
    Publisher:    Sonic Solutions
    Description:    Px Engine Device Driver for Windows 2000/XP
    Product:    PxHelp20
    Version:    n/a
    File version:    3.00.33a
c:\windows\maxdriver\TSXT_kern_i386.sys:
    Verified:    Unsigned
    File date:    16:35 1/25/2005
    Publisher:    n/a
    Description:    SRS Labs TruSurround XT kernel DLL
    Product:    SRS TruSurround XT for Windows XP
    Version:    1, 3, 0, 0
    File version:    1, 3, 0, 0
c:\windows\maxdriver\Tvs.sys:
    Verified:    Unsigned
    File date:    18:40 11/15/2005
    Publisher:    TOSHIBA Corporation
    Description:    TOSHIBA Audio Filter Driver
    Product:    Audio Filter
    Version:    2.03
    File version:    2, 0, 0, 4
c:\windows\maxdriver\wiyyep.sys:
    Verified:    Unsigned
    File date:    14:12 2/1/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\maxdriver\WOWHD_kern_i386.sys:
    Verified:    Unsigned
    File date:    11:45 8/18/2005
    Publisher:    SRS Labs, Inc.
    Description:    WOW HD kernel mode DLL for Windows
    Product:    WOW HD Kernel DLL for Windows XP
    Version:    3, 1, 0, 0
    File version:    3, 1, 0, 0

--------- system32\drivers unsigned files ---------

c:\windows\system32\drivers\AegisP.sys:
    Verified:    Unsigned
    File date:    13:07 1/9/2007
    Publisher:    Meetinghouse Data Communications
    Description:    IEEE 802.1X Protocol Driver
    Product:    AEGIS Client 3.4.1.0
    Version:    3.4.1.0
    File version:    3.4.1.0
c:\windows\system32\drivers\asctrm.sys:
    Verified:    Unsigned
    File date:    22:10 11/4/2005
    Publisher:    Windows (R) 2000 DDK provider
    Description:    TR Manager
    Product:    Windows (R) 2000 DDK driver
    Version:    5.00.2195.1
    File version:    5.00.2195.1
c:\windows\system32\drivers\CDAC15BA.SYS:
    Verified:    Unsigned
    File date:    14:33 3/30/2006
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\system32\drivers\CSIIDecoder_kern_i386.sys:
    Verified:    Unsigned
    File date:    19:33 10/25/2005
    Publisher:    n/a
    Description:    SRS Labs CSII Decoder Kernel DLL
    Product:    SRS CSII Decoder for Windows XP
    Version:    3, 2, 0, 0
    File version:    1, 2, 0, 0
c:\windows\system32\drivers\DLACDBHM.SYS:
    Verified:    Unsigned
    File date:    11:03 7/7/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.10.05a
c:\windows\system32\drivers\DLARTL_N.SYS:
    Verified:    Unsigned
    File date:    11:02 7/7/2005
    Publisher:    Sonic Solutions
    Description:    Shared Driver Component
    Product:    n/a
    Version:    n/a
    File version:    5.10.05a
c:\windows\system32\drivers\DRVMCDB.SYS:
    Verified:    Unsigned
    File date:    05:30 7/28/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver
    Product:    n/a
    Version:    n/a
    File version:    3.30.00Q
c:\windows\system32\drivers\DRVNDDM.SYS:
    Verified:    Unsigned
    File date:    07:10 7/7/2005
    Publisher:    Sonic Solutions
    Description:    Device Driver Manager
    Product:    n/a
    Version:    n/a
    File version:    5.10.04a
c:\windows\system32\drivers\fips.sys:
    Verified:    Unsigned
    File date:    12:33 4/13/2008
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\system32\drivers\meiudf.sys:
    Verified:    Unsigned
    File date:    05:33 6/2/2005
    Publisher:    Matsubleepa Electric Industrial Co.,Ltd.
    Description:    DVD-RAM UDF File System Driver
    Product:    n/a
    Version:    n/a
    File version:    4.0.7.0
c:\windows\system32\drivers\NBSMI.sys:
    Verified:    Unsigned
    File date:    16:03 10/20/2005
    Publisher:    Toshiba Corporation
    Description:    Toshiba Notebook PC SMI Driver
    Product:    Toshiba Notebook PC SMI Service
    Version:    1.0.0.11M
    File version:    1.0.0.11M built by: WinDDK
c:\windows\system32\drivers\Netdevio.sys:
    Verified:    Unsigned
    File date:    16:35 1/29/2003
    Publisher:    TOSHIBA Corporation.
    Description:    Network Device Usermode I/O protocol
    Product:    TOSHIBA Network Device Usermode I/O protocol
    Version:    5.00.01.00
    File version:    Version 5.00.01.00 built by: WinDDK
c:\windows\system32\drivers\pfc.sys:
    Verified:    Unsigned
    File date:    17:45 9/19/2003
    Publisher:    Padus, Inc.
    Description:    Padus(R) ASPI Shell
    Product:    Padus(R) ASPI Shell
    Version:    2, 5, 0, 204
    File version:    2, 5, 0, 204
c:\windows\system32\drivers\pxhelp20.sys:
    Verified:    Unsigned
    File date:    11:21 10/3/2006
    Publisher:    Sonic Solutions
    Description:    Px Engine Device Driver for Windows 2000/XP
    Product:    PxHelp20
    Version:    n/a
    File version:    3.00.33a
c:\windows\system32\drivers\TSXT_kern_i386.sys:
    Verified:    Unsigned
    File date:    16:35 1/25/2005
    Publisher:    n/a
    Description:    SRS Labs TruSurround XT kernel DLL
    Product:    SRS TruSurround XT for Windows XP
    Version:    1, 3, 0, 0
    File version:    1, 3, 0, 0
c:\windows\system32\drivers\Tvs.sys:
    Verified:    Unsigned
    File date:    18:40 11/15/2005
    Publisher:    TOSHIBA Corporation
    Description:    TOSHIBA Audio Filter Driver
    Product:    Audio Filter
    Version:    2.03
    File version:    2, 0, 0, 4
c:\windows\system32\drivers\wiyyep.sys:
    Verified:    Unsigned
    File date:    14:12 2/1/2010
    Publisher:    n/a
    Description:    n/a
    Product:    n/a
    Version:    n/a
    File version:    n/a
c:\windows\system32\drivers\WOWHD_kern_i386.sys:
    Verified:    Unsigned
    File date:    11:45 8/18/2005
    Publisher:    SRS Labs, Inc.
    Description:    WOW HD kernel mode DLL for Windows
    Product:    WOW HD Kernel DLL for Windows XP
    Version:    3, 1, 0, 0
    File version:    3, 1, 0, 0


Rogue configuration file = C:\WINDOWS\system32\config\noo8htfn.sav



#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:38 PM

Posted 19 February 2010 - 04:29 PM

Hi,


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :filefind
    wiyyep.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 19 February 2010 - 06:15 PM

Hello and thanks for your help so far. I will run the systemlook as soon as I get back to the infected computer. In the mean time, could you provide me with any insight as to what is going on with the computer so far? Is it just a trojan or something that is buried really deep? I Just like to know the details being sort of a computer nerd myself. Thanks again !

#12 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 19 February 2010 - 06:16 PM

Hello and thanks for your help so far. I will run the systemlook as soon as I get back to the infected computer. In the mean time, could you provide me with any insight as to what is going on with the computer so far? Is it just a trojan or something that is buried really deep? I Just like to know the details being sort of a computer nerd myself. Thanks again !

#13 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 19 February 2010 - 11:19 PM

here is the system look...
Thanks!


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:11 on 19/02/2010 by Michael Goehring (Administrator - Elevation successful)

========== filefind ==========

Searching for "wiyyep.sys"
C:\WINDOWS\maxdriver\wiyyep.sys --a--- 54016 bytes [20:12 01/02/2010] [20:12 01/02/2010] E6D35F3AA51A65EB35C1F2340154A25E
C:\WINDOWS\system32\drivers\wiyyep.sys --a--- 54016 bytes [20:12 01/02/2010] [20:12 01/02/2010] E6D35F3AA51A65EB35C1F2340154A25E

-=End Of File=-

#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:03:38 PM

Posted 20 February 2010 - 06:33 PM

Hi,

go to start > run and type

maxlook -driver

and hit enter. Type in the following filename:

fips.sys

A report will saved as looklog.txt. Please post back with the content of the logfile.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 Anderwolf

Anderwolf
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 February 2010 - 10:00 AM

here you go,
thanks again...



ARun from C:\Documents and Settings\Michael Goehring\Desktop\maxlook.exe on Sun 02/21/2010 at 8:56:54.14

Searching for "fips.sys"

2008-09-05 12:53:56 . 2004-08-04 12:00:00 - 34944 - E153AB8A11DE5452BCF5AC7652DBF3ED -c----w- C:\WINDOWS\$NtServicePackUninstall$\fips.sys
2008-09-03 13:53:09 . 2008-04-13 18:33:28 - 44544 - D45926117EB9FA946A6AF572FBE1CAA3 ------w- C:\WINDOWS\ServicePackFiles\i386\fips.sys
2005-11-05 00:52:42 . 2008-04-13 18:33:28 - 44544 - AC01F0749EB7D5A7FFB86D2A21F477A2 ----a-w- C:\WINDOWS\system32\drivers\fips.sys





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users