Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Check my 2nd system please


  • This topic is locked This topic is locked
2 replies to this topic

#1 kisk

kisk

  • Members
  • 339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Huntsville, AL
  • Local time:11:10 PM

Posted 16 February 2010 - 11:11 PM

Suspicious behavior, automatic updates no longer push, etc.

Vista SP2

Here are my DDS(+zipped file) & RootRepeal logs

Attached File  Attach.zip   1.82KB   13 downloads

DDS:
CODE
DDS (Ver_09-12-01.01) - NTFSx86  
Run by Megamano at 20:11:58.46 on Tue 02/16/2010
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.2039.896 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DllHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Norton Internet Security\Engine\17.5.0.127\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\Samsung\LaserSMMgr\SSMMgr.exe
C:\Windows\system32\schtasks.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Megamano\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.yahoo.com/i/716
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario&pf=desktop
uInternet Settings,ProxyServer = http=192.168.1.1
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\17.5.0.127\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\17.5.0.127\coIEPlg.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpsysdrv] c:\hp\support\hpsysdrv.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateReg] "c:\windows\system32\jureg.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Samsung LBP SM] "c:\windows\samsung\lasersmmgr\ssmmgr.exe" /autorun
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
Trusted Zone: ameritrade.com\wwws
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} -
Notify: igfxcui - igfxdev.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1105000.07f\symds.sys [2010-1-24 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1105000.07f\symefa.sys [2010-1-24 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\bashdefs\20100211.001\BHDrvx86.sys [2010-2-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1105000.07f\cchpx86.sys [2010-1-24 501888]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_17.0.0.136\definitions\ipsdefs\20100210.001\IDSvix86.sys [2010-2-14 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1105000.07f\ironx86.sys [2010-1-24 116272]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1105000.07f\symtdiv.sys [2010-1-24 340016]
R2 NIS;Norton Internet Security.;c:\program files\norton internet security\engine\17.5.0.127\ccsvchst.exe [2010-1-24 126392]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-15 102448]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\norton internet security\engine\16.7.2.11\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\norton internet security\engine\16.7.2.11\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\norton internet security\engine\16.7.2.11\ccSvcHst.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-4-6 21504]
S3 PCD5SRVC{BD6912E3-AC9D80E8-05040000};PCD5SRVC{BD6912E3-AC9D80E8-05040000} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\pc-doc~1\PCD5SRVC.pkms [2007-9-12 25760]

=============== Created Last 30 ================

2010-02-14 19:06:31    111    ----a-w-    c:\users\megamano\webct_upload_applet.properties
2010-02-06 22:19:06    0    d-----w-    c:\programdata\IObit
2010-02-06 22:19:04    0    d-----w-    c:\program files\IObit
2010-02-03 02:44:58    0    d-----w-    c:\users\megamano\appdata\roaming\AVG8
2010-01-24 18:07:21    44080    ----a-r-    c:\windows\system32\drivers\SymIMV.sys

==================== Find3M  ====================

2010-02-17 01:37:36    51200    ----a-w-    c:\windows\inf\infpub.dat
2010-02-17 01:37:35    143360    ----a-w-    c:\windows\inf\infstrng.dat
2010-01-24 18:06:42    143360    ----a-w-    c:\windows\inf\infstor.dat
2010-01-15 20:39:29    805    ----a-w-    c:\windows\system32\drivers\SYMEVENT.INF
2010-01-15 20:39:29    7443    ----a-w-    c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-15 20:39:29    124976    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-14 17:12:06    181120    ------w-    c:\windows\system32\MpSigStub.exe
2010-01-02 06:38:20    916480    ----a-w-    c:\windows\system32\wininet.dll
2010-01-02 06:32:33    71680    ----a-w-    c:\windows\system32\iesetup.dll
2010-01-02 06:32:33    109056    ----a-w-    c:\windows\system32\iesysprep.dll
2010-01-02 04:57:00    133632    ----a-w-    c:\windows\system32\ieUnatt.exe
2009-12-04 18:30:05    12288    ----a-w-    c:\windows\system32\tsbyuv.dll
2009-12-04 18:29:41    1314816    ----a-w-    c:\windows\system32\quartz.dll
2009-12-04 18:28:52    22528    ----a-w-    c:\windows\system32\msyuv.dll
2009-12-04 18:28:51    31744    ----a-w-    c:\windows\system32\msvidc32.dll
2009-12-04 18:28:51    123904    ----a-w-    c:\windows\system32\msvfw32.dll
2009-12-04 18:28:49    13312    ----a-w-    c:\windows\system32\msrle32.dll
2009-12-04 18:28:27    82944    ----a-w-    c:\windows\system32\mciavi32.dll
2009-12-04 18:28:21    50176    ----a-w-    c:\windows\system32\iyuv_32.dll
2009-12-04 18:27:12    91136    ----a-w-    c:\windows\system32\avifil32.dll
2009-11-08 17:23:08    665600    ----a-w-    c:\windows\inf\drvindex.dat
2008-04-06 17:08:04    174    --sha-w-    c:\program files\desktop.ini
2006-11-02 12:42:02    30674    ----a-w-    c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02    30674    ----a-w-    c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02    287440    ----a-w-    c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02    287440    ----a-w-    c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21    287440    ----a-w-    c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21    287440    ----a-w-    c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19    30674    ----a-w-    c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19    30674    ----a-w-    c:\windows\inf\perflib\0000\perfc.dat
2009-11-08 16:15:58    245760    --sha-w-    c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2007-11-19 02:08:36    8192    --sha-w-    c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:12:19.30 ===============




RootRepeal log:
BTW, when saving the report I received the error message "Could not read our index block!" from the program.

CODE
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:        2010/02/16 21:19
Program Version:        Version 1.3.5.0
Windows Version:        Windows Vista SP2
==================================================

Drivers
-------------------
Name: acpi.sys
Image Path: C:\Windows\system32\drivers\acpi.sys
Address: 0x80694000    Size: 286720    File Visible: -    Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x81C3E000    Size: 3903488    File Visible: -    Signed: -
Status: -

Name: afd.sys
Image Path: C:\Windows\system32\drivers\afd.sys
Address: 0x8D7A7000    Size: 294912    File Visible: -    Signed: -
Status: -

Name: AGRSM.sys
Image Path: C:\Windows\system32\DRIVERS\AGRSM.sys
Address: 0x8CC0A000    Size: 1204128    File Visible: -    Signed: -
Status: -

Name: atapi.sys
Image Path: C:\Windows\system32\drivers\atapi.sys
Address: 0x8079F000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: ataport.SYS
Image Path: C:\Windows\system32\drivers\ataport.SYS
Address: 0x807A7000    Size: 122880    File Visible: -    Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\Windows\System32\Drivers\Beep.SYS
Address: 0x8D699000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: BHDrvx86.sys
Image Path: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\BASHDefs\20100211.001\BHDrvx86.sys
Address: 0x8E16A000    Size: 548864    File Visible: -    Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\Windows\system32\BOOTVID.dll
Address: 0x80489000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: bowser.sys
Image Path: C:\Windows\system32\DRIVERS\bowser.sys
Address: 0xA8586000    Size: 102400    File Visible: -    Signed: -
Status: -

Name: ccHPx86.sys
Image Path: C:\Windows\system32\drivers\NIS\1105000.07F\ccHPx86.sys
Address: 0x8E0EB000    Size: 520192    File Visible: -    Signed: -
Status: -

Name: cdd.dll
Image Path: C:\Windows\System32\cdd.dll
Address: 0x972D0000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: cdfs.sys
Image Path: C:\Windows\system32\DRIVERS\cdfs.sys
Address: 0x82FCF000    Size: 90112    File Visible: -    Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\Windows\system32\DRIVERS\cdrom.sys
Address: 0x8CD68000    Size: 98304    File Visible: -    Signed: -
Status: -

Name: CI.dll
Image Path: C:\Windows\system32\CI.dll
Address: 0x804D2000    Size: 917504    File Visible: -    Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\Windows\system32\drivers\CLASSPNP.SYS
Address: 0x82FA5000    Size: 135168    File Visible: -    Signed: -
Status: -

Name: CLFS.SYS
Image Path: C:\Windows\system32\CLFS.SYS
Address: 0x80491000    Size: 266240    File Visible: -    Signed: -
Status: -

Name: crashdmp.sys
Image Path: C:\Windows\System32\Drivers\crashdmp.sys
Address: 0x8E1F0000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: crcdisk.sys
Image Path: C:\Windows\system32\drivers\crcdisk.sys
Address: 0x82FC6000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: dfsc.sys
Image Path: C:\Windows\System32\Drivers\dfsc.sys
Address: 0x8E0D4000    Size: 94208    File Visible: -    Signed: -
Status: -

Name: disk.sys
Image Path: C:\Windows\system32\drivers\disk.sys
Address: 0x82F94000    Size: 69632    File Visible: -    Signed: -
Status: -

Name: drmk.sys
Image Path: C:\Windows\system32\drivers\drmk.sys
Address: 0x8D664000    Size: 151552    File Visible: -    Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\Windows\System32\Drivers\dump_atapi.sys
Address: 0x82FE5000    Size: 32768    File Visible: No    Signed: -
Status: -

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8C200000    Size: 45056    File Visible: No    Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\Windows\System32\drivers\Dxapi.sys
Address: 0x82DDA000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: dxgkrnl.sys
Image Path: C:\Windows\System32\drivers\dxgkrnl.sys
Address: 0x8C8C8000    Size: 659456    File Visible: -    Signed: -
Status: -

Name: ecache.sys
Image Path: C:\Windows\System32\drivers\ecache.sys
Address: 0x82F6D000    Size: 159744    File Visible: -    Signed: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0x8E059000    Size: 385024    File Visible: -    Signed: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0x8E0B7000    Size: 118784    File Visible: -    Signed: -
Status: -

Name: fileinfo.sys
Image Path: C:\Windows\system32\drivers\fileinfo.sys
Address: 0x8225D000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: fltmgr.sys
Image Path: C:\Windows\system32\drivers\fltmgr.sys
Address: 0x807C5000    Size: 204800    File Visible: -    Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\Windows\System32\Drivers\Fs_Rec.SYS
Address: 0x8D689000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: fwpkclnt.sys
Image Path: C:\Windows\System32\drivers\fwpkclnt.sys
Address: 0x82D7E000    Size: 110592    File Visible: -    Signed: -
Status: -

Name: hal.dll
Image Path: C:\Windows\system32\hal.dll
Address: 0x81C0B000    Size: 208896    File Visible: -    Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\Windows\system32\DRIVERS\HDAudBus.sys
Address: 0x8BC0B000    Size: 577536    File Visible: -    Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\Windows\system32\drivers\HTTP.sys
Address: 0xA84FC000    Size: 446464    File Visible: -    Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\Windows\system32\DRIVERS\i8042prt.sys
Address: 0x8CD3F000    Size: 77824    File Visible: -    Signed: -
Status: -

Name: IDSvix86.sys
Image Path: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\IPSDefs\20100210.001\IDSvix86.sys
Address: 0x8E001000    Size: 360448    File Visible: -    Signed: -
Status: -

Name: igdkmd32.sys
Image Path: C:\Windows\system32\DRIVERS\igdkmd32.sys
Address: 0x8C20B000    Size: 7065600    File Visible: -    Signed: -
Status: -

Name: intelide.sys
Image Path: C:\Windows\system32\drivers\intelide.sys
Address: 0x8077A000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\Windows\system32\DRIVERS\intelppm.sys
Address: 0x82D99000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: Ironx86.SYS
Image Path: C:\Windows\system32\drivers\NIS\1105000.07F\Ironx86.SYS
Address: 0x82DBB000    Size: 126976    File Visible: -    Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\Windows\system32\DRIVERS\kbdclass.sys
Address: 0x8CD52000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: kdcom.dll
Image Path: C:\Windows\system32\kdcom.dll
Address: 0x80401000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: ks.sys
Image Path: C:\Windows\system32\DRIVERS\ks.sys
Address: 0x8BDA2000    Size: 172032    File Visible: -    Signed: -
Status: -

Name: ksecdd.sys
Image Path: C:\Windows\System32\Drivers\ksecdd.sys
Address: 0x8229A000    Size: 462848    File Visible: -    Signed: -
Status: -

Name: lltdio.sys
Image Path: C:\Windows\system32\DRIVERS\lltdio.sys
Address: 0xA8429000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: luafv.sys
Image Path: C:\Windows\system32\drivers\luafv.sys
Address: 0xA8406000    Size: 110592    File Visible: -    Signed: -
Status: -

Name: mcupdate_GenuineIntel.dll
Image Path: C:\Windows\system32\mcupdate_GenuineIntel.dll
Address: 0x80408000    Size: 458752    File Visible: -    Signed: -
Status: -

Name: mdmxsdk.sys
Image Path: C:\Windows\system32\DRIVERS\mdmxsdk.sys
Address: 0xA9AD4000    Size: 12672    File Visible: -    Signed: -
Status: -

Name: modem.sys
Image Path: C:\Windows\system32\drivers\modem.sys
Address: 0x8CD32000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: monitor.sys
Image Path: C:\Windows\system32\DRIVERS\monitor.sys
Address: 0x82DE4000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\Windows\system32\DRIVERS\mouclass.sys
Address: 0x8CD5D000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: mountmgr.sys
Image Path: C:\Windows\System32\drivers\mountmgr.sys
Address: 0x8078F000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: mpsdrv.sys
Image Path: C:\Windows\System32\drivers\mpsdrv.sys
Address: 0xA859F000    Size: 86016    File Visible: -    Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\Windows\system32\drivers\mrxdav.sys
Address: 0xA85B4000    Size: 135168    File Visible: -    Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb.sys
Address: 0xA85D5000    Size: 126976    File Visible: -    Signed: -
Status: -

Name: mrxsmb10.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb10.sys
Address: 0xA9A0E000    Size: 233472    File Visible: -    Signed: -
Status: -

Name: mrxsmb20.sys
Image Path: C:\Windows\system32\DRIVERS\mrxsmb20.sys
Address: 0xA9A47000    Size: 98304    File Visible: -    Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\Windows\System32\Drivers\Msfs.SYS
Address: 0x8D6DD000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: msisadrv.sys
Image Path: C:\Windows\system32\drivers\msisadrv.sys
Address: 0x806E3000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: msiscsi.sys
Image Path: C:\Windows\system32\DRIVERS\msiscsi.sys
Address: 0x8CD80000    Size: 192512    File Visible: -    Signed: -
Status: -

Name: msrpc.sys
Image Path: C:\Windows\system32\drivers\msrpc.sys
Address: 0x82D18000    Size: 176128    File Visible: -    Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\Windows\system32\DRIVERS\mssmbios.sys
Address: 0x8BDCC000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: mup.sys
Image Path: C:\Windows\System32\Drivers\mup.sys
Address: 0x82F5E000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: NAVENG.SYS
Image Path: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100216.039\NAVENG.SYS
Address: 0xAC7A0000    Size: 78208    File Visible: -    Signed: -
Status: -

Name: NAVEX15.SYS
Image Path: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.0.0.136\Definitions\VirusDefs\20100216.039\NAVEX15.SYS
Address: 0xAC65E000    Size: 1318016    File Visible: -    Signed: -
Status: -

Name: ndis.sys
Image Path: C:\Windows\system32\drivers\ndis.sys
Address: 0x82C0D000    Size: 1093632    File Visible: -    Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\Windows\system32\DRIVERS\ndistapi.sys
Address: 0x8BD2C000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\Windows\system32\DRIVERS\ndiswan.sys
Address: 0x8BD37000    Size: 143360    File Visible: -    Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\Windows\System32\Drivers\NDProxy.SYS
Address: 0x8BDE3000    Size: 69632    File Visible: -    Signed: -
Status: -

Name: netbios.sys
Image Path: C:\Windows\system32\DRIVERS\netbios.sys
Address: 0x8C9F2000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: netbt.sys
Image Path: C:\Windows\System32\DRIVERS\netbt.sys
Address: 0x8C9AA000    Size: 204800    File Visible: -    Signed: -
Status: -

Name: NETIO.SYS
Image Path: C:\Windows\system32\drivers\NETIO.SYS
Address: 0x82D43000    Size: 241664    File Visible: -    Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\Windows\System32\Drivers\Npfs.SYS
Address: 0x8D6E8000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: nsiproxy.sys
Image Path: C:\Windows\system32\drivers\nsiproxy.sys
Address: 0x8BC00000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: Ntfs.sys
Image Path: C:\Windows\System32\Drivers\Ntfs.sys
Address: 0x82E09000    Size: 1114112    File Visible: -    Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\Windows\system32\ntkrnlpa.exe
Address: 0x81C3E000    Size: 3903488    File Visible: -    Signed: -
Status: -

Name: Null.SYS
Image Path: C:\Windows\System32\Drivers\Null.SYS
Address: 0x8D692000    Size: 28672    File Visible: -    Signed: -
Status: -

Name: pacer.sys
Image Path: C:\Windows\system32\DRIVERS\pacer.sys
Address: 0x8C9DC000    Size: 90112    File Visible: -    Signed: -
Status: -

Name: partmgr.sys
Image Path: C:\Windows\System32\drivers\partmgr.sys
Address: 0x80712000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: pci.sys
Image Path: C:\Windows\system32\drivers\pci.sys
Address: 0x806EB000    Size: 159744    File Visible: -    Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\Windows\system32\drivers\PCIIDEX.SYS
Address: 0x80781000    Size: 57344    File Visible: -    Signed: -
Status: -

Name: peauth.sys
Image Path: C:\Windows\system32\drivers\peauth.sys
Address: 0xA9AD8000    Size: 909312    File Visible: -    Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x81C3E000    Size: 3903488    File Visible: -    Signed: -
Status: -

Name: portcls.sys
Image Path: C:\Windows\system32\drivers\portcls.sys
Address: 0x8D637000    Size: 184320    File Visible: -    Signed: -
Status: -

Name: PSHED.dll
Image Path: C:\Windows\system32\PSHED.dll
Address: 0x80478000    Size: 69632    File Visible: -    Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\Windows\System32\DRIVERS\rasacd.sys
Address: 0x8D6F6000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\Windows\system32\DRIVERS\rasl2tp.sys
Address: 0x8BD15000    Size: 94208    File Visible: -    Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\Windows\system32\DRIVERS\raspppoe.sys
Address: 0x8BD5A000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\Windows\system32\DRIVERS\raspptp.sys
Address: 0x8BD69000    Size: 81920    File Visible: -    Signed: -
Status: -

Name: rassstp.sys
Image Path: C:\Windows\system32\DRIVERS\rassstp.sys
Address: 0x8BD7D000    Size: 86016    File Visible: -    Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x81C3E000    Size: 3903488    File Visible: -    Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\Windows\system32\DRIVERS\rdbss.sys
Address: 0x805B2000    Size: 245760    File Visible: -    Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\Windows\System32\DRIVERS\RDPCDD.sys
Address: 0x8D6CD000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: rdpencdd.sys
Image Path: C:\Windows\system32\drivers\rdpencdd.sys
Address: 0x8D6D5000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: RecAgent.sys
Image Path: C:\Windows\system32\DRIVERS\SLDRV\RecAgent.sys
Address: 0x82F5A000    Size: 14592    File Visible: -    Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xAC7CC000    Size: 49152    File Visible: No    Signed: -
Status: -

Name: rspndr.sys
Image Path: C:\Windows\system32\DRIVERS\rspndr.sys
Address: 0xA8439000    Size: 77824    File Visible: -    Signed: -
Status: -

Name: RTKVHDA.sys
Image Path: C:\Windows\system32\drivers\RTKVHDA.sys
Address: 0x8D400000    Size: 2319104    File Visible: -    Signed: -
Status: -

Name: Rtlh86.sys
Image Path: C:\Windows\system32\DRIVERS\Rtlh86.sys
Address: 0x8BC98000    Size: 151552    File Visible: -    Signed: -
Status: -

Name: secdrv.SYS
Image Path: C:\Windows\System32\Drivers\secdrv.SYS
Address: 0xA9BB6000    Size: 40960    File Visible: -    Signed: -
Status: -

Name: smb.sys
Image Path: C:\Windows\system32\DRIVERS\smb.sys
Address: 0x8D793000    Size: 81920    File Visible: -    Signed: -
Status: -

Name: spldr.sys
Image Path: C:\Windows\System32\Drivers\spldr.sys
Address: 0x82F52000    Size: 32768    File Visible: -    Signed: -
Status: -

Name: spsys.sys
Image Path: C:\Windows\system32\drivers\spsys.sys
Address: 0xA844C000    Size: 720896    File Visible: -    Signed: -
Status: -

Name: SRTSP.SYS
Image Path: C:\Windows\System32\Drivers\NIS\1105000.07F\SRTSP.SYS
Address: 0xAC607000    Size: 356352    File Visible: -    Signed: -
Status: -

Name: SRTSPX.SYS
Image Path: C:\Windows\system32\drivers\NIS\1105000.07F\SRTSPX.SYS
Address: 0x8BDF4000    Size: 36992    File Visible: -    Signed: -
Status: -

Name: srv.sys
Image Path: C:\Windows\System32\DRIVERS\srv.sys
Address: 0xA9A86000    Size: 319488    File Visible: -    Signed: -
Status: -

Name: srv2.sys
Image Path: C:\Windows\System32\DRIVERS\srv2.sys
Address: 0xA9A5F000    Size: 159744    File Visible: -    Signed: -
Status: -

Name: srvnet.sys
Image Path: C:\Windows\System32\DRIVERS\srvnet.sys
Address: 0xA8569000    Size: 118784    File Visible: -    Signed: -
Status: -

Name: storport.sys
Image Path: C:\Windows\system32\DRIVERS\storport.sys
Address: 0x8CDAF000    Size: 266240    File Visible: -    Signed: -
Status: -

Name: swenum.sys
Image Path: C:\Windows\system32\DRIVERS\swenum.sys
Address: 0x8CC06000    Size: 4992    File Visible: -    Signed: -
Status: -

Name: SYMDS.SYS
Image Path: C:\Windows\system32\drivers\NIS\1105000.07F\SYMDS.SYS
Address: 0x82207000    Size: 352256    File Visible: -    Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: C:\Windows\system32\drivers\NIS\1105000.07F\SYMEFA.SYS
Address: 0x8226D000    Size: 184320    File Visible: -    Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\Windows\system32\Drivers\SYMEVENT.SYS
Address: 0x8D76E000    Size: 151552    File Visible: -    Signed: -
Status: -

Name: SymIMv.sys
Image Path: C:\Windows\system32\DRIVERS\SymIMv.sys
Address: 0x8D7EF000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: SYMTDIV.SYS
Image Path: C:\Windows\System32\Drivers\NIS\1105000.07F\SYMTDIV.SYS
Address: 0x8D715000    Size: 364544    File Visible: -    Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\Windows\System32\drivers\tcpip.sys
Address: 0x8230B000    Size: 958464    File Visible: -    Signed: -
Status: -

Name: tcpipreg.sys
Image Path: C:\Windows\System32\drivers\tcpipreg.sys
Address: 0xA9BC0000    Size: 49152    File Visible: -    Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\Windows\system32\DRIVERS\TDI.SYS
Address: 0x8CDF0000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: tdx.sys
Image Path: C:\Windows\system32\DRIVERS\tdx.sys
Address: 0x8D6FF000    Size: 90112    File Visible: -    Signed: -
Status: -

Name: termdd.sys
Image Path: C:\Windows\system32\DRIVERS\termdd.sys
Address: 0x8BD92000    Size: 65536    File Visible: -    Signed: -
Status: -

Name: TSDDD.dll
Image Path: C:\Windows\System32\TSDDD.dll
Address: 0x972B0000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: tunmp.sys
Image Path: C:\Windows\system32\DRIVERS\tunmp.sys
Address: 0x82E00000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: tunnel.sys
Image Path: C:\Windows\system32\DRIVERS\tunnel.sys
Address: 0x82FEF000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: umbus.sys
Image Path: C:\Windows\system32\DRIVERS\umbus.sys
Address: 0x8BDD6000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\Windows\system32\DRIVERS\USBD.SYS
Address: 0x8CD30000    Size: 8192    File Visible: -    Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\Windows\system32\DRIVERS\usbehci.sys
Address: 0x8BD06000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\Windows\system32\DRIVERS\usbhub.sys
Address: 0x8C975000    Size: 217088    File Visible: -    Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\Windows\system32\DRIVERS\USBPORT.SYS
Address: 0x8BCC8000    Size: 253952    File Visible: -    Signed: -
Status: -

Name: usbuhci.sys
Image Path: C:\Windows\system32\DRIVERS\usbuhci.sys
Address: 0x8BCBD000    Size: 45056    File Visible: -    Signed: -
Status: -

Name: vga.sys
Image Path: C:\Windows\System32\drivers\vga.sys
Address: 0x8D6A0000    Size: 49152    File Visible: -    Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\Windows\System32\drivers\VIDEOPRT.SYS
Address: 0x8D6AC000    Size: 135168    File Visible: -    Signed: -
Status: -

Name: volmgr.sys
Image Path: C:\Windows\system32\drivers\volmgr.sys
Address: 0x80721000    Size: 61440    File Visible: -    Signed: -
Status: -

Name: volmgrx.sys
Image Path: C:\Windows\System32\drivers\volmgrx.sys
Address: 0x80730000    Size: 303104    File Visible: -    Signed: -
Status: -

Name: volsnap.sys
Image Path: C:\Windows\system32\drivers\volsnap.sys
Address: 0x82F19000    Size: 233472    File Visible: -    Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\Windows\system32\DRIVERS\wanarp.sys
Address: 0x82DA8000    Size: 77824    File Visible: -    Signed: -
Status: -

Name: wanatw4.sys
Image Path: C:\Windows\system32\DRIVERS\wanatw4.sys
Address: 0x8CC00000    Size: 20512    File Visible: -    Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\Windows\System32\drivers\watchdog.sys
Address: 0x8C969000    Size: 49152    File Visible: -    Signed: -
Status: -

Name: Wdf01000.sys
Image Path: C:\Windows\system32\drivers\Wdf01000.sys
Address: 0x8060B000    Size: 507904    File Visible: -    Signed: -
Status: -

Name: WDFLDR.SYS
Image Path: C:\Windows\system32\drivers\WDFLDR.SYS
Address: 0x80687000    Size: 53248    File Visible: -    Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0x97090000    Size: 2105344    File Visible: -    Signed: -
Status: -

Name: win32k.sys
Image Path: C:\Windows\System32\win32k.sys
Address: 0x97090000    Size: 2105344    File Visible: -    Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\Windows\system32\drivers\WMILIB.SYS
Address: 0x806DA000    Size: 36864    File Visible: -    Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x81C3E000    Size: 3903488    File Visible: -    Signed: -
Status: -



Thanks!
Posted Image

BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:10 AM

Posted 20 February 2010 - 09:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE



Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:05:10 AM

Posted 25 February 2010 - 12:14 PM

Due to the lack of feedback, this topic is now closed.
If you need this topic reopened, please PM a staff member and we will reopen it for you (include the address of this thread in your request). This applies to the original topic starter only. Everyone else with similar problems, please start a new topic.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users