Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with Trojan Horse Adload


  • This topic is locked This topic is locked
4 replies to this topic

#1 ecman

ecman

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 01 September 2010 - 11:47 AM

Hello kind malware expert. Seems like I had lots of problems hit me at once. (8/25) Problem hit all of a sudden while I was on internet and I started getting rapid repeat messages about trojan virus from norton. Internet Explorer was also redirecting my webpages. Ran malarebytes, and it eradicated Trojan.Hiloti, Trojan.FakeAlert, Trojan.DNSchanger and Rootkit.TDSS.Gen. Still had problems with redirects and computer completely locking up. Downloaded AVG, and 6 instances of Trojan Horse Adload were identified, but only 3 were able to deleted. Thought I ran CCleaner, but it locked everything up. When I ran gmer, it took close to 6 hours and also locked up. I have the DDS files, but sorry, unable to get the gmer files. I can try again if needed. thanks for your help. My "computer guy" always just wants to reformat drive c, and I really wanted to avoid doing that if possible.


DDS (Ver_10-03-17.01) - NTFSx86
Run by teena at 15:21:12.38 on Tue 08/31/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.227 [GMT -7:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\WINDOWS\system32\hpb2ksrv.exe
C:\WINDOWS\system32\hpbhksrv.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\hpstatus.exe
C:\Program Files\CEZEO software\LanTalk XP\LanTalk.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NewTech Infosystems\NTI Backup NOW!\Schdlr32.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\vVX6000.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPBSPSVR.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\HPBJDSNT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Teena\LOCALS~1\Temp\Google Toolbar\gtbB.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\NewTech Infosystems\NTI Backup NOW!\CdBak32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Teena\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.caringbridge.org/visit/ianmackay
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://a.kongregate.com/games/travisapple/acrony/frame/1267410227515/?username=MouthOnlysMom&user_id=2219469&game_auth_token=ffab06d86c8db78648f7d3b8c1186108760bf407c1850d46f7b54f8528c23db3"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HP Status] c:\windows\system32\hpstatus.exe
mRun: [LanTalk] "c:\program files\cezeo software\lantalk xp\LanTalk.exe"
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Backup NOW! Scheduler] "c:\program files\newtech infosystems\nti backup now!\Schdlr32.exe" -s
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [GoToMyPC] "c:\program files\citrix\gotomypc\g2svc.exe" -logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [VX6000] c:\windows\vVX6000.exe
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Mquqile] rundll32.exe "c:\windows\epafasoc.dll",Startup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\teena\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\docume~1\teena\startm~1\programs\startup\lantal~1.lnk - c:\program files\cezeo software\lantalk xp\LanTalk.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
Trusted Zone: intuit.com\ttlc
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxps://server/ConnectComputer/nshelp.dll
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: GoToMyPC - c:\program files\citrix\gotomypc\G2WinLogon.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\teena\applic~1\mozilla\firefox\profiles\p8zha61j.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.elcaminostore.com/
FF - component: c:\documents and settings\teena\application data\mozilla\firefox\profiles\p8zha61j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {E8F78354-7F3A-4083-9CEE-010BA77F72F1} - c:\documents and settings\teena\local settings\application data\{E8F78354-7F3A-4083-9CEE-010BA77F72F1}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R? AVG Security Toolbar Service;AVG Security Toolbar Service
R? Avgfwfd;AVG network filter service
R? ccPwdSvc;Symantec Password Validation
R? gupdate1ca0f1f67e1150c;Google Update Service (gupdate1ca0f1f67e1150c)
R? VX6000;Microsoft LifeCam VX-6000
S? avg9wd;AVG WatchDog
S? Avgfwdx;Avgfwdx
S? avgfws9;AVG Firewall
S? AVGIDSAgent;AVG9IDSAgent
S? AVGIDSDriverxpx;AVG9IDSDriver
S? AVGIDSErHrxpx;AVG9IDSErHr
S? AVGIDSFilterxpx;AVG9IDSFilter
S? AVGIDSShimxpx;AVG9IDSShim
S? AvgLdx86;AVG AVI Loader Driver x86
S? AvgMfx86;AVG On-access Scanner Minifilter Driver x86
S? AvgRkx86;avgrkx86.sys
S? AvgTdiX;AVG Network Redirector
S? ccEvtMgr;Symantec Event Manager
S? ccSetMgr;Symantec Settings Manager
S? IABFilt;Iomega Snapshot Volume Filter
S? m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller
S? NAVENG;NAVENG
S? NAVEX15;NAVEX15
S? SavRoam;SavRoam
S? SAVRT;SAVRT
S? SAVRTPEL;SAVRTPEL
S? Symantec AntiVirus;Symantec AntiVirus

=============== Created Last 30 ================

2010-08-30 04:13:16 0 d-----w- c:\program files\Yahoo!
2010-08-30 04:12:59 0 d-----w- c:\program files\CCleaner
2010-08-30 00:01:38 25168 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-08-30 00:01:38 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-30 00:01:37 52872 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-08-30 00:01:34 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-30 00:01:22 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-08-30 00:01:08 0 d-----w- c:\windows\system32\drivers\Avg
2010-08-30 00:01:02 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-08-29 23:57:57 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-08-29 23:57:57 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-08-29 23:55:59 0 d-----w- c:\program files\AVG
2010-08-29 23:55:20 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-08-26 05:49:02 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-25 21:48:01 0 d-----w- c:\docume~1\teena\applic~1\Malwarebytes
2010-08-25 21:47:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 21:47:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 21:47:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-25 21:47:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 21:29:15 120 ----a-w- c:\windows\Hkaganidesu.dat
2010-08-25 21:29:15 0 ----a-w- c:\windows\Fgisuyaxu.bin

==================== Find3M ====================

2010-07-20 17:43:04 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-06-14 14:30:28 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

============= FINISH: 15:29:42.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:14 PM

Posted 09 September 2010 - 07:22 AM

Hello ecman, My name is Syler and I will be helping you to solve your malware issues. Sorry for the delay
in replying, we are very busy at the moment.

Please note because we are very busy, if I don't hear from you within 5 days the topic will be closed, If you
have since resolved your issues I would appreciate if you would let me no so I can close this topic.


I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove two of these AVG, McAfee or Symantec.



Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check all of the boxes. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
    Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\*. /mp /s
    %SYSTEMDRIVE%\*.exe
    netsvcs
    msconfig
    drivers32
    CREATERESTOREPOINT

  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized


Then please post back here with the following logs:
  • RKUnHooker report
  • OTL.txt
  • Extra.txt
Thanks

Edited by syler, 09 September 2010 - 07:27 AM.

unite.jpg


#3 ecman

ecman
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 09 September 2010 - 12:27 PM

Thank you Syler for your response. No problem on the delay. I understand it's been busy, and I'm a patient person. I uninstalled AVG. I can't find mcafee to uninstall it. Below are the reports that you requested.

The RKUnhooker Report:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #2
==============================================
>SSDT State
==============================================
ntkrnlpa.exe-->NtConnectPort, Type: Address change 0x805A3466-->E2040340 [Unknown module filename]
==============================================
>Shadow
==============================================
==============================================
>Processes
==============================================
0x86DC4A00 [4] System
0x8600A9E8 [240] C:\WINDOWS\system32\ctfmon.exe (Microsoft Corporation, CTF Loader)
0x861AC1F8 [384] C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (Symantec Corporation, Common Client Settings Manager Service)
0x860C3DA0 [420] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (Symantec Corporation, Common Client Event Manager Service)
0x85FA9DA0 [612] C:\WINDOWS\system32\spoolsv.exe (Microsoft Corporation, Spooler SubSystem App)
0x860F6368 [688] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85E75B78 [752] C:\Program Files\Symantec AntiVirus\SavRoam.exe (symantec, SAVRoam)
0x860E4DA0 [764] C:\Program Files\Symantec AntiVirus\DefWatch.exe (Symantec Corporation, Virus Definition Daemon)
0x85E90B80 [840] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85E6C950 [856] C:\Program Files\Symantec AntiVirus\Rtvscan.exe (Symantec Corporation, Symantec AntiVirus)
0x85F21448 [860] C:\WINDOWS\system32\smss.exe (Microsoft Corporation, Windows NT Session Manager)
0x8556A9F0 [896] C:\Program Files\Skype\Plugin Manager\skypePM.exe (Skype Technologies, Skype Extras Manager)
0x861F9020 [908] C:\WINDOWS\system32\csrss.exe (Microsoft Corporation, Client Server Runtime Process)
0x86294C88 [932] C:\WINDOWS\system32\winlogon.exe (Microsoft Corporation, Windows NT Logon Application)
0x86192220 [980] C:\WINDOWS\system32\services.exe (Microsoft Corporation, Services and Controller app)
0x861D73A0 [992] C:\WINDOWS\system32\lsass.exe (Microsoft Corporation, LSA Shell (Export Version))
0x86243BD8 [1160] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
0x8620B020 [1196] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x860449A8 [1220] C:\WINDOWS\stsystra.exe (SigmaTel, Inc., Sigmatel Audio system tray application)
0x86179980 [1272] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85F39DA0 [1384] C:\WINDOWS\system32\hpb2ksrv.exe (Hewlett-Packard Company, HP Status Win2k Service)
0x85E2A020 [1420] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x85F83960 [1484] C:\WINDOWS\system32\hpbhksrv.exe (Hewlett-Packard Company, HP Status Driver Hooking Service)
0x86071B78 [1516] C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe (Intel Corporation, RAID Monitor)
0x85F93B78 [1536] C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe (Intuit Inc., Intuit Update Service)
0x85F88020 [1548] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x8602EB78 [1584] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation, Machine Debug Manager)
0x85FF9020 [1668] C:\WINDOWS\system32\svchost.exe (Microsoft Corporation, Generic Host Process for Win32 Services)
0x86091950 [1676] C:\WINDOWS\system32\nvsvc32.exe (NVIDIA Corporation, NVIDIA Driver Helper Service, Version 82.68)
0x8575B970 [1760] C:\Program Files\WinZip\WZQKPICK.EXE (WinZip Computing, S.L., WinZip Executable)
0x861D2A78 [1852] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc., GoogleToolbarNotifier)
0x861D3020 [1860] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation, Common Client User Session)
0x862DC958 [1936] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard, Hewlett-Packard T-TR Status Client)
0x8602B020 [2092] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)
0x86112A68 [2116] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation, Event Monitor User Notification Tool)
0x85990B78 [2468] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions, Drive Letter Access Component)
0x85E7C020 [2492] C:\Documents and Settings\Teena\Desktop\RKUnhookerLE.EXE (UG North, RKULE, SR2 Normandy)
0x8574FDA0 [2560] C:\WINDOWS\vVX6000.exe (Microsoft Corporation
, Microsoft LifeCam VX6000 Device Application)
0x85F19C68 [2584] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation, Macrovision Software Manager Scheduler)
0x85ECC6F8 [2620] C:\WINDOWS\system32\alg.exe (Microsoft Corporation, Application Layer Gateway Service)
0x8590D5D0 [2684] C:\PROGRA~1\SYMANT~1\VPTray.exe (Symantec Corporation, Symantec AntiVirus)
0x859C6DA0 [2740] C:\WINDOWS\system32\hpstatus.exe (Hewlett-Packard Company, HP Printer Status and Alerts)
0x857BB738 [2772] C:\Program Files\CEZEO software\LanTalk XP\LanTalk.exe (CEZEO software ©, LanTalk Lan Messenger)
0x857BD648 [2812] C:\WINDOWS\system32\hpbspsvr.exe (Hewlett-Packard Company, HP SocketPing Server)
0x859455F0 [2832] C:\Program Files\QuickTime\qttask.exe (Apple Inc., QuickTime Task)
0x857D1DA0 [2852] C:\Program Files\NewTech Infosystems\NTI Backup NOW!\Schdlr32.exe (NTI, Schdlr32)
0x85941728 [2868] C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe (Adobe Systems Inc., AcroTray)
0x855C5020 [3164] C:\WINDOWS\system32\HPBPRO.EXE (Hewlett-Packard Company, PortResolver Module)
0x862B6020 [3304] C:\WINDOWS\system32\HPBPRO.EXE (Hewlett-Packard Company, PortResolver Module)
0x859AD4A0 [3428] C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
0x859CA7D0 [3464] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation, Macrovision Software Manager)
0x859ACB78 [3476] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited, RIM Auto Update)
0x8603F5F8 [3708] C:\WINDOWS\explorer.exe (Microsoft Corporation, Windows Explorer)
0x857CA740 [3728] C:\Program Files\Skype\Phone\Skype.exe (Skype Technologies S.A., Skype )
0x8572D928 [3732] C:\DOCUME~1\Teena\LOCALS~1\Temp\Google Toolbar\gtbF.tmp.exe (Google Inc., Google Toolbar Installer)
0x85E94BC0 [3932] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)
0x85758020 [3956] C:\WINDOWS\system32\hpbjdsnt.exe (Hewlett-Packard Company, HP Job Detector)
0x860F2DA0 [4036] C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation, Internet Explorer)
0x86086020 [4072] C:\WINDOWS\system32\wuauclt.exe (Microsoft Corporation, Windows Update)
==============================================
>Drivers
==============================================
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 3919872 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 82.68 )
0xF5B60000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 3584000 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 82.68 )
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2146304 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2146304 bytes
0x804D7000 RAW 2146304 bytes
0x804D7000 WMIxWDM 2146304 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF30F5000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100906.003\navex15.sys 1359872 bytes (Symantec Corporation, AV Engine)
0xF32C5000 C:\WINDOWS\system32\drivers\sthda.sys 1114112 bytes (SigmaTel, Inc., NDRC)
0xF2D77000 C:\WINDOWS\System32\Drivers\dump_iaStor.sys 749568 bytes
0xF7448000 iaStor.sys 749568 bytes (Intel Corporation, Intel Matrix Storage Manager driver)
0xF735C000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF2EB6000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF2E56000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 393216 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xF59BD000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xF2FFB000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB9EFE000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF3254000 C:\Program Files\Symantec AntiVirus\savrt.sys 323584 bytes (Symantec Corporation, AutoProtect)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF2FBB000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 262144 bytes (Symantec Corporation, Network Dispatch Driver)
0xF5B13000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 233472 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0xF5A92000 C:\WINDOWS\system32\DRIVERS\m4cxw2k3.sys 229376 bytes (D-Link Corporation, NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller)
0xF30AE000 C:\WINDOWS\system32\DRIVERS\Dot4.sys 208896 bytes (Microsoft Corporation, One Cool Transport)
0xF5A16000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF7555000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF732F000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xBA0BD000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9088000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF2F25000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF2F72000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF74FF000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF5ACA000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 155648 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0)
0xBA5DD000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF5A6F000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB99DB000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0xF5AF0000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF2F50000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF32A3000 C:\WINDOWS\system32\drivers\portcls.sys 139264 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF2F9A000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806E3000 ACPI_HAL 134272 bytes
0x806E3000 C:\WINDOWS\system32\hal.dll 134272 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF7428000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7525000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7314000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xBA46F000 C:\WINDOWS\System32\DLA\DLAUDFAM.SYS 98304 bytes (Sonic Solutions, Drive Letter Access Component)
0xF73E9000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5A58000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xBA487000 C:\WINDOWS\System32\DLA\DLAIFS_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xBA459000 C:\WINDOWS\System32\DLA\DLAUDF_M.SYS 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7400000 DRVMCDB.SYS 90112 bytes (Sonic Solutions, Device Driver)
0xB90D6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF30E1000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100906.003\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)
0xF5B4C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF3053000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF3241000 C:\Program Files\Symantec\SYMEVENT.SYS 77824 bytes (Symantec Corporation, Symantec Event Library)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF7416000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF7544000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5A47000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF77F4000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6BAD000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 65536 bytes (Symantec Corporation, SAVRTPEL)
0xF6BBD000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF78D4000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB9B46000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6BCD000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF78C4000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76C4000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF78E4000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF76A4000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF76F4000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF78B4000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF7694000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF78F4000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF78A4000 C:\WINDOWS\System32\Drivers\DRVNDDM.SYS 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF6BDD000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF7714000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF76B4000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF77C4000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF7844000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF7874000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF7684000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF7704000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF77A4000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB9AC6000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76D4000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7794000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF7A14000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF79B4000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF79EC000 C:\WINDOWS\System32\DLA\DLABOIOM.SYS 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7974000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF790C000 IABFilt.sys 28672 bytes (Iomega, Volume Filter Driver Windows 2000/XP/2003)
0xF7A34000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0xF7A0C000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF7A4C000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF798C000 C:\WINDOWS\System32\Drivers\DLARTL_N.SYS 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF793C000 C:\WINDOWS\system32\DRIVERS\dot4usb.sys 24576 bytes (Microsoft Corporation, DOT4USB filter driver)
0xF7A3C000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7A44000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF791C000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xF7994000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF79AC000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7904000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF7A24000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF7A2C000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF7A1C000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF7A04000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF79A4000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA4D5000 C:\WINDOWS\System32\DLA\DLAOPIOM.SYS 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B6C000 C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys 16384 bytes (Microsoft Corporation, Dot4 Printer Driver)
0xF5999000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7B60000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xBA515000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xF7A94000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF72DF000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF729B000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xF7B70000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF7B44000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF72AB000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xB8AAF000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 12288 bytes (Symantec Corporation, Redirector Filter Driver)
0xF7BA4000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF6361000 C:\WINDOWS\System32\Drivers\DLACDBHM.SYS 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF6869000 C:\WINDOWS\System32\DLA\DLAPoolM.SYS 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B88000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xF7BA0000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF6321000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7B84000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7BBC000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7BC0000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF635F000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xF635D000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF6349000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7B86000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF6398000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7D5C000 C:\WINDOWS\System32\DLA\DLADResN.SYS 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7DA5000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D6C000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
!!!!!!!!!!!Hidden driver: 0x86CE2AEA ?_empty_? 1302 bytes
!!!!!!!!!!!Hidden driver: 0x86322900 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF7448000 WARNING: suspicious driver modification [iaStor.sys::0x86CE2AEA]
0x05680000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 1077248 bytes
0x05620000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 126976 bytes
0x03680000 Hidden Image-->System.XML.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 2060288 bytes
0x04A40000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 266240 bytes
0x04790000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 270336 bytes
0x05A30000 Hidden Image-->log4net.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 282624 bytes
0x04420000 Hidden Image-->System.Data.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 2961408 bytes
0x04D10000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 307200 bytes
0x038A0000 Hidden Image-->System.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 3190784 bytes
0xF7684000 WARNING: Virus alike driver modification [isapnp.sys], 36864 bytes
0x06480000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 421888 bytes
0x035F0000 Hidden Image-->System.configuration.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 438272 bytes
0x01380000 Hidden Image-->Intuit.Spc.Foundations.Portability.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 471040 bytes
0x04880000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 479232 bytes
0x06080000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 479232 bytes
0x04F60000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 5033984 bytes
0x012F0000 Hidden Image-->Intuit.Spc.Foundations.Primary.Logging.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 53248 bytes
0x054B0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 634880 bytes
0x01330000 Hidden Image-->Intuit.Spc.Foundations.Primary.ExceptionHandling.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 77824 bytes
0x04360000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x85F93B78 ] PID: 1536, 778240 bytes
0x035C0000 Hidden Image-->Intuit.Spc.Foundations.Primary.Config.dll [ EPROCESS 0x85F93B78 ] PID: 1536, 86016 bytes
0x05EF0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x85F93B78 ] PID: 1536, 872448 bytes
==============================================
>Files
==============================================
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006EA7E, Type: Inline - RelativeJump 0x80545A7E-->80545A85 [ntkrnlpa.exe]
[1420]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1420]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1420]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1420]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1420]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1420]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1420]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E41BD76-->00000000 [unknown_code_page]
[3708]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[3708]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[3708]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[3708]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[3708]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[3708]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[3932]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3932]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[3932]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[3932]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[3932]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3932]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[3932]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[3932]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[3932]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[3932]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[3932]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[3932]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[3932]iexplore.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[3932]iexplore.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[3932]iexplore.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[3932]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[3932]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[3932]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[3932]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3932]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[3932]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[3932]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[3932]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[3932]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E41FC25-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456B50-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432032-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B10C-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E42555F-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[3932]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F8-->00000000 [aclayers.dll]
[3932]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[3932]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[3932]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E4505FC-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E4505D8-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A04A-->00000000 [ieframe.dll]
[3932]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4662AB-->00000000 [ieframe.dll]
[4036]iexplore.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[4036]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77DD1214-->00000000 [aclayers.dll]
[4036]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77DD105C-->00000000 [aclayers.dll]
[4036]iexplore.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77DD11E0-->00000000 [aclayers.dll]
[4036]iexplore.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[4036]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x77F11084-->00000000 [aclayers.dll]
[4036]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x77F11078-->00000000 [aclayers.dll]
[4036]iexplore.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x77F110B8-->00000000 [aclayers.dll]
[4036]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x0040106C-->00000000 [shimeng.dll]
[4036]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x00401098-->00000000 [aclayers.dll]
[4036]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x004010E8-->00000000 [aclayers.dll]
[4036]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x004010C0-->00000000 [aclayers.dll]
[4036]iexplore.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[4036]iexplore.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[4036]iexplore.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[4036]iexplore.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[4036]iexplore.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[4036]iexplore.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[4036]iexplore.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[4036]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7C9C13E8-->00000000 [aclayers.dll]
[4036]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExA, Type: IAT modification 0x7C9C163C-->00000000 [aclayers.dll]
[4036]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7C9C161C-->00000000 [aclayers.dll]
[4036]iexplore.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7C9C15A0-->00000000 [aclayers.dll]
[4036]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x7E41F85B-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x7E41FC25-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x7E456B50-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x7E432032-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x7E43B10C-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E42555F-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]
[4036]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT modification 0x7E4112F8-->00000000 [aclayers.dll]
[4036]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryExW, Type: IAT modification 0x7E411208-->00000000 [aclayers.dll]
[4036]iexplore.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT modification 0x7E411340-->00000000 [aclayers.dll]
[4036]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x7E4505FC-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x7E4505D8-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x7E43A04A-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x7E4662AB-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x7E42DDB5-->00000000 [ieframe.dll]
[4036]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x7E41F21E-->00000000 [ieframe.dll]
[4072]wuauclt.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[4072]wuauclt.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[4072]wuauclt.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[4072]wuauclt.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[4072]wuauclt.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[4072]wuauclt.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)


The otl text and extras text are attached.

Thank you so much for your help.

Attached Files



#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:14 PM

Posted 09 September 2010 - 05:59 PM

It's just some remnants of McAfee that I am seeing, we can clean them up.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.



Download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If any suspicious items are found, let it skip them for now
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

unite.jpg


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:08:14 PM

Posted 14 September 2010 - 10:39 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users