Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Malware - Not Clean?


  • This topic is locked This topic is locked
41 replies to this topic

#1 MarJayz

MarJayz

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 08 December 2010 - 10:07 AM

I’ve been experiencing malware issues for a couple weeks now. I’ve used all the standard tools and everything will seem fine for a couple of days but then issues resurface.

The most recent problem was a Google redirect issue. A local IT professional recommended a ComboFix run which seemed to resolve the redirect, but now the entire system is sluggish and pages load slowly. Running subsequent scans with TrendMicro AV and Malwarebytes in normal mode find nothing, but when run from Safe Mode both programs bomb: TM generates the blue screen of death, Malwarebytes ends with multiple “Windows – Delayed Write Failed” boxes. I’m not convinced I’m “clean”.

If anyone can offer guidance I’d greatly appreciate it.

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 09 December 2010 - 05:14 AM

Hello and welcome to BleepingComputer!

Those errors can also be caused by harddisk errors.

Depending a bit on your version of Windows, click Start > Run, type chkdsk /r and press enter. Type Y and press enter to schedule a disk check for next reboot.

Restart your computer and allow the disk check to run unhindered. Note - this may take some time.

When done, let me know how your computer is running.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 09 December 2010 - 11:00 AM

Thank you for your response.

I will run chkdsk and report back, but I'm convinced my problem is more serious. After my initial post, my computer took a turn for the worse--now I can't download anything. Last night I tried unsucessfully to download both Adobe Reader X and IE8...it starts but then stops immediately, like a process is preventing any download activity.

Thanks again for your help!!

PS...It may just by my heightened awareness, but it seems like a disportionate number of newer posts are referencing the Google redirect (which was my initial problem a couple weeks back). From your perspective does the volume seem unusually high?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 09 December 2010 - 11:12 AM

There are a lot of different infections causing google redirects, which explains why so many are seen.

If checkdisk doesn't correct anything we'll investigate further, but the delayed write error typically points at a harddisk problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 09 December 2010 - 09:06 PM

Here are the result of the CHKDSK

Checking file system on C:
The type of the file system is NTFS.
Cleaning up minor inconsistencies on the drive.
Cleaning up 1 unused index entries from index $SII of file 0x9.
Cleaning up 1 unused index entries from index $SDH of file 0x9.
Cleaning up 1 unused security descriptors.
CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc000009c at offset 0x3603ab000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x3603ab000 for 0x1000 bytes.
Windows replaced bad clusters in file 13561
of name \DOCUME~1\DEFAUL~1\STARTM~1\Programs\INTERN~1.LNK.
Read failure with status 0xc000009c at offset 0x34e38f000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x34e39d000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x34e3ee000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x34e3f6000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x34e447000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x34e44f000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x34e4a0000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x34e4a8000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x34e4f9000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x34e501000 for 0x1000 bytes.
Windows replaced bad clusters in file 43138
of name \PROGRA~1\TRENDM~1\INTERN~2\AU_Data\AU_Temp\3892_5~1\3\4\lpt$vpn.645.
Read failure with status 0xc000009c at offset 0x355c8b000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x355c94000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x355ce5000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x355ced000 for 0x1000 bytes.
Read failure with status 0xc000009c at offset 0x355d3e000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0x355d46000 for 0x1000 bytes.
Windows replaced bad clusters in file 115279
of name \DOCUME~1\Mark\MYDOCU~1\STAVE\Ads_Mktg\2008NC~1.PSD.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Adding 9 bad clusters to the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
Correcting errors in the Volume Bitmap.
Windows has made corrections to the file system.

53665132 KB total disk space.
48281196 KB in 109116 files.
45380 KB in 13071 indexes.
36 KB in bad sectors.
344748 KB in use by the system.
65536 KB occupied by the log file.
4993772 KB available on disk.

4096 bytes in each allocation unit.
13416283 total allocation units on disk.
1248443 allocation units available on disk.

Internal Info:
60 5a 02 00 52 dd 01 00 a0 c8 02 00 00 00 00 00 `Z..R...........
10 19 00 00 04 00 00 00 b1 04 00 00 00 00 00 00 ................
b2 9b d3 06 00 00 00 00 bc 04 ae 8b 00 00 00 00 ................
e0 10 98 26 00 00 00 00 ee 90 8a bc 07 00 00 00 ...&............
26 87 fb 97 00 00 00 00 14 ec 06 18 09 00 00 00 &...............
99 9e 36 00 00 00 00 00 a0 38 07 00 3c aa 01 00 ..6......8..<...
00 00 00 00 00 b0 d9 82 0b 00 00 00 0f 33 00 00 .............3..

Windows has finished checking your disk.
Please wait while your computer restarts.

#6 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 09 December 2010 - 09:42 PM

I've just confirmed that I still cannot download, so my problem persists.

Edited by MarJayz, 09 December 2010 - 09:43 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 10 December 2010 - 03:18 AM

First of all, your drive has some bad sectors. I strongly recommend you backup any important data (just in case...). Every piece of hardware eventually gives up and when that happens you can't be too prepared.

As for malware, lets do a scan first.

Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note - if you get the following warning, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Click on Cancel, then Accept.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 10 December 2010 - 07:23 AM

Do I really want to add the URL referenced below to my list of Approved Sites?
When I try to download, I get this message:



Trend Micro Internet Security has identified this Web page as undesirable.

--------------------------------------------------------------------------------

Address: http://www.kernelmode.info/ARKs/RKUnhookerLE.EXE
Credibility: Dangerous


If you still want to see this blocked page:
Click the Windows Start button and launch Trend Micro Internet Security from the list under All Programs.


Click Internet & Email Controls.


Click the Settings... button under Parental Controls or Protection Against Web Threats.


Click the List of Approved Web Sites link in the next window that opens.


Copy and paste the address of the blocked Web site into the list.


Note: If you think that Trend Micro Internet Security should not block this Web page, please notify Trend Micro by clicking this button:

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 10 December 2010 - 08:21 AM

I can assure you the site is trustworthy, so you can add it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 10 December 2010 - 01:18 PM

Since I can't download anything, is it okay to download the program on another computer and transfer via thumb drive?

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 10 December 2010 - 02:21 PM

Yes, that is fine, however, I recommend you to use Flash Disinfector to protect the other computer from possible infection.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 10 December 2010 - 05:49 PM

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 2)
Number of processors #1
==============================================
>Drivers
==============================================
0xF64B4000 C:\WINDOWS\system32\DRIVERS\w29n51.sys 3211264 bytes (Intel® Corporation, Intel® Wireless LAN Driver)
0xBF0B2000 C:\WINDOWS\System32\ati3duag.dll 2367488 bytes (ATI Technologies Inc. , ati3duag.dll)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2058368 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2058368 bytes
0x804D7000 RAW 2058368 bytes
0x804D7000 WMIxWDM 2058368 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF5DFA000 C:\WINDOWS\system32\DRIVERS\TM_CFW.sys 1798144 bytes (Trend Micro Inc., Trend Micro Common Firewall Module (IM i386-fre))
0xF680C000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1331200 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)
0xF18BE000 C:\WINDOWS\system32\DRIVERS\vsapint.sys 1327104 bytes (Trend Micro Inc., VsapiNT )
0xF62FA000 C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 1044480 bytes (Conexant Systems, Inc., HSF_DP driver)
0xF6252000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 688128 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xBF2F4000 C:\WINDOWS\System32\ativvaxx.dll 643072 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)
0xF72F4000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF3C1B000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 454656 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF6149000 C:\WINDOWS\system32\DRIVERS\update.sys 364544 bytes (Microsoft Corporation, Update Driver)
0xF3CFF000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 360448 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF0430000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xF184A000 C:\WINDOWS\system32\DRIVERS\tmxpflt.sys 311296 bytes (Trend Micro Inc., Post Filter For XP)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xF6471000 C:\WINDOWS\system32\drivers\STAC97.sys 274432 bytes (SigmaTel, Inc., SigmaTel Audio Driver (WDM))
0xF098B000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF61FB000 C:\WINDOWS\system32\DRIVERS\iwca.sys 249856 bytes (Intel Corporation, Intel Wireless Connection Agent)
0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 225280 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)
0xBF07D000 C:\WINDOWS\System32\atikvmag.dll 217088 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)
0xBF049000 C:\WINDOWS\System32\ati2cqag.dll 212992 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)
0xF63F9000 C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 200704 bytes (Conexant Systems, Inc., HSFHWICH WDM driver)
0xF61A2000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 200704 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF74AC000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF72C7000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF0273000 C:\WINDOWS\system32\drivers\tmcomm.sys 184320 bytes (Trend Micro Inc., TrendMicro Common Module)
0xF0A70000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 180224 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xEF8F9000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xF3C8A000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF3CD7000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF741C000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xF644D000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xEF924000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 143360 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF642A000 C:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF67D5000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 143360 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF3CB5000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF3BFA000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 135168 bytes (Microsoft Corporation, IP Network Address Translator)
0x806CE000 ACPI_HAL 131968 bytes
0x806CE000 C:\WINDOWS\system32\hal.dll 131968 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF73E4000 fltMgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7442000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7461000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xF747F000 ssidrv.sys 114688 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Interdiction Driver)
0xF72AC000 Mup.sys 110592 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF6238000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 106496 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xF17F3000 C:\WINDOWS\system32\dla\tfsnudf.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF17DA000 C:\WINDOWS\system32\dla\tfsnudfa.sys 102400 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7404000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF3B1A000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF7394000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF61E4000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF180C000 C:\WINDOWS\system32\dla\tfsnifs.sys 90112 bytes (Sonic Solutions, Drive Letter Access Component)
0xF73BD000 drvmcdb.sys 86016 bytes (Sonic Solutions, Device Driver)
0xF13DD000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF67F8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF3D57000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xF7381000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF73D2000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF73AB000 TPkd.sys 73728 bytes (PACE Anti-Piracy, Inc., InterLok system file)
0xF749B000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF61D3000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF67C4000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 69632 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0xF76AB000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF765B000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF6A94000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF778B000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF762B000 ohci1394.sys 61440 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF77CB000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF165A000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF6AC4000 C:\WINDOWS\system32\DRIVERS\tmtdi.sys 61440 bytes (Trend Micro Inc., Trend Micro TDI Driver (i386-fre))
0xF6B24000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF6AF4000 C:\WINDOWS\system32\Drivers\NEOFLTR_600_13487.SYS 57344 bytes (Juniper Networks, NetBIOS Redirector)
0xF763B000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 53248 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xF77BB000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 53248 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF761B000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF779B000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF77DB000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF769B000 C:\WINDOWS\system32\DRIVERS\tmpreflt.sys 53248 bytes (Trend Micro Inc., Pre-Filter For XP)
0xF75FB000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF77FB000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF777B000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 45056 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)
0xF77AB000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF75EB000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF77EB000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF76BB000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (Sonic Solutions, Device Driver Manager)
0xF782B000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF0863000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF781B000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF760B000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF6AB4000 C:\WINDOWS\System32\Drivers\Fips.SYS 36864 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF776B000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xF75DB000 isapnp.sys 36864 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF780B000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF6AE4000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF0C9F000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF76DB000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (Sonic Solutions, Drive Letter Access Component)
0xF6AA4000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF79BB000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xF78CB000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xF78B3000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF786B000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xF793B000 C:\WINDOWS\system32\dla\tfsnboio.sys 28672 bytes (Sonic Solutions, Drive Letter Access Component)
0xF79B3000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 28672 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF79D3000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xF79CB000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF79C3000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF7863000 ssfs0bbd.sys 24576 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper FileSystem Filter Driver)
0xF78AB000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (Sonic Solutions, Shared Driver Component)
0xF78BB000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xF78C3000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF789B000 C:\WINDOWS\system32\DRIVERS\omci.sys 20480 bytes (Dell Inc, OMCI Device Driver)
0xF7873000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF79E3000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF787B000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xF7893000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF785B000 sshrmd.sys 20480 bytes (Webroot Software, Inc. (www.webroot.com), Spy Sweeper Mini Driver)
0xF79DB000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xF79AB000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 20480 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF7903000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF17C6000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7ACB000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)
0xF79F3000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF726B000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0xF6969000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF1A2A000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (Sonic Solutions, Drive Letter Access Component)
0xF79EB000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF79EF000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0xF5DE6000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xF0987000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 12288 bytes (Conexant, Diagnostic Interface DRIVER)
0xF725F000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7AA7000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF17C2000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 12288 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF7B9B000 C:\WINDOWS\System32\Drivers\ASCTRM.SYS 8192 bytes (Windows ® 2000 DDK provider, TR Manager)
0xF7B55000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xF7B85000 C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
0xF7B9F000 C:\WINDOWS\system32\DRIVERS\dsunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF7B61000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xF7B53000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF7B51000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 8192 bytes (Microsoft Corporation, I2O Utility Filter)
0xF7ADF000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xF7ADB000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7B57000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7B43000 C:\WINDOWS\system32\DRIVERS\portd2k.sys 8192 bytes (CMS Peripherals, Inc., BounceBack Port I/O)
0xF7B59000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7B41000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (Sonic Solutions, Shared Driver Component)
0xF7B47000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7B05000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7B4D000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF7ADD000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7BFC000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xF7C1B000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7D32000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7BA3000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xF7C0F000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
0xF7C0E000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (Sonic Solutions, Drive Letter Access Component)
==============================================
>Stealth
==============================================
0x05090000 Hidden Image-->System.ServiceProcess.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 126976 bytes
0x03940000 Hidden Image-->System.XML.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 2060288 bytes
0x04330000 Hidden Image-->System.EnterpriseServices.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 266240 bytes
0x04100000 Hidden Image-->System.Transactions.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 270336 bytes
0x00F70000 Hidden Image-->log4net.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 282624 bytes
0x03B10000 Hidden Image-->SupportSoft.Agent.Sprocket.dll [ EPROCESS 0x86B8A368 ] PID: 656, 28672 bytes
0x03DD0000 Hidden Image-->System.Data.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 2961408 bytes
0x045C0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 307200 bytes
0x03320000 Hidden Image-->System.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 3190784 bytes
0x04F00000 Hidden Image-->Intuit.Spc.Map.WindowsFirewallUtilities.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 421888 bytes
0x03160000 Hidden Image-->System.configuration.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 438272 bytes
0x036F0000 Hidden Image-->SupportSoft.Agent.Sprocket.SupportMessage.dll [ EPROCESS 0x86B8A368 ] PID: 656, 45056 bytes
0x04170000 Hidden Image-->Intuit.Spc.Map.Reporter.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 479232 bytes
0x04810000 Hidden Image-->System.Windows.Forms.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 5033984 bytes
0x04DF0000 Hidden Image-->System.Drawing.dll [ EPROCESS 0x862C99E0 ] PID: 3624, 634880 bytes
0x02DA0000 Hidden Image-->sprtmessage.dll [ EPROCESS 0x86B8A368 ] PID: 656, 77824 bytes
0x03CE0000 Hidden Image-->System.Data.SQLite.DLL [ EPROCESS 0x862C99E0 ] PID: 3624, 872448 bytes

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 11 December 2010 - 04:09 AM

Please check your proxy settings.

Click Start > Run, type inetcpl.cpl and press enter.
Click the Connections tab and click the LAN settings button. Make sure that "use a proxy server..." is UNchecked and click OK to exit.

Let me know if you can download now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 MarJayz

MarJayz
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 11 December 2010 - 09:12 AM

No action was necessary on LAN settings, "Use a proxy server..." was already UNchecked.

A test download of Adobe Reader was unsuccessful. When I tried a second time to download, the page would not load completely and eventually timed out.

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,820 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:00 AM

Posted 11 December 2010 - 09:17 AM

Does browsing work normally (i.e. googling, accessing mail).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users