Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt.XPACK.Gen3 Trojan (gitabiga.dll)


  • This topic is locked This topic is locked
10 replies to this topic

#1 kmj

kmj

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 16 January 2011 - 07:36 PM

Computer runs too slow. Takes an hour to boot up. Took about six hours to complete this post. Ran Avira. It quarantined a lot of infected files, but one keeps coming back. It is C:\Windows\System32\gitabiga.dll. GMER would not run to completion. After a while, a Windows error message popped up saying that Volume Shadow Copy has prevented the program from running, and it shut down. I disabled the Windows Service and ran it again. This time the Windows error message popped up saying that something has prevented the program from running, and it shut down.

Here is a Copy/Paste of my DDS.txt

DDS (Ver_10-12-12.02) - NTFSx86
Run by AZTS5 at 16:48:06.00 on Sun 01/16/2011
Internet Explorer: 8.0.6001.18882

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Windows\system32\lxeacoms.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\WLAN\IEEE 802.11b Wlreless LAN\WlanMonitor.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\system32\WerCon.exe
C:\Users\AZTS5\Desktop\dds.scr
C:\Windows\system32\lpremove.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\lpksetup.exe
C:\Windows\system32\RacAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [????r]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mPolicies-system: EnableLUA = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: mdlp.org
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://www.mdlp.org/diagnostic/awswax70.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: gudasene.dll
LSA: Notification Packages = scecli gitabiga.dll

============= SERVICES / DRIVERS ===============

R? SMSCIRDA;SMSC Infrared Device Driver
R? SYMNDISV;SYMNDISV
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgntflt;avgntflt
S? bckd;bckd
S? bckwfs;Blue Coat K9 Web Protection
S? EraserUtilRebootDrv;EraserUtilRebootDrv
S? IDSvix86;Symantec Intrusion Prevention Driver
S? lxea_device;lxea_device
S? WSDPrintDevice;WSD Print Support via UMB

=============== Created Last 30 ================

2011-01-16 22:26:47 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b245f482-023b-4dd3-bec2-315fa4574102}\mpengine.dll
2011-01-13 01:26:55 -------- d-----w- c:\program files\MDLP Tools
2011-01-05 21:39:38 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-05 21:38:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-05 05:54:37 -------- d-----w- c:\progra~2\Lx_cats
2011-01-05 05:12:03 -------- d-----w- c:\progra~2\Ezprint
2011-01-05 03:58:51 157696 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxeadrpp.dll
2011-01-05 03:43:12 40960 ----a-w- c:\windows\system32\lxeavs.dll
2011-01-05 03:43:02 438272 ----a-w- c:\windows\system32\lxeacoin.dll
2011-01-05 03:42:39 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2011-01-05 03:42:38 86016 ----a-w- c:\windows\system32\lxeagcfg.dll
2011-01-05 03:42:35 294912 ----a-w- c:\windows\system32\lxeacui.dll
2011-01-05 03:42:35 110592 ----a-w- c:\windows\system32\lxeacuir.dll
2011-01-05 03:35:52 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2011-01-05 03:33:30 372736 ----a-w- c:\windows\system32\LXEAwupd.dll
2011-01-05 03:33:30 213672 ----a-w- c:\windows\system32\LXEAwupd.exe
2011-01-05 03:31:01 -------- d-----w- c:\program files\Lexmark
2011-01-05 03:29:45 -------- d-----w- c:\program files\Lexmark Toolbar
2011-01-05 03:28:52 -------- d-----w- c:\program files\Lexmark Printable Web
2011-01-05 03:09:41 -------- d-----w- c:\program files\Lexmark S300-S400 Series
2011-01-05 03:09:40 299008 ----a-w- c:\windows\system32\LXEAsm.dll
2011-01-05 03:09:40 23552 ----a-w- c:\windows\system32\LXEAsmr.dll
2011-01-03 04:30:38 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-01-03 04:13:11 62464 ----a-w- c:\windows\system32\l3codeca.acm
2011-01-03 04:13:11 220672 ----a-w- c:\windows\system32\l3codecp.acm

==================== Find3M ====================


============= FINISH: 16:54:12.36 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 20 January 2011 - 03:40 PM

Hello and welcome. I apologize for the delay. If you no longer need help with this issue, we would appreciate you letting us know. Otherwise, please perform the following steps so I can have a look at the current condition of your machine. I realize that you have already posted logs, but because of the time that has passed I'd like a fresh set.

Posted Image Please download DDS by sUBs from one of the following links and save it to your desktop.

DDS.scr
DDS.com
DDS.pif
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
---------------------------------------------------
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.
Posted Image Please download Rootkit Unhooker and save it on your desktop.
  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please include the following in your next post:
  • DDS.txt and Attach.txt logs
  • Rootkit Unhooker log

Edited by RPMcMurphy, 20 January 2011 - 03:44 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 kmj

kmj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 23 January 2011 - 07:08 PM

Sorry for delay. Thanks for taking on this challenge. Here is what you requested. I await your reply.Attached File  Attach.txt   5.34KB   0 downloads


DDS (Ver_10-12-12.02) - NTFSx86
Run by AZTS5 at 15:57:01.77 on Sun 01/23/2011
Internet Explorer: 8.0.6001.18882
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.446.126 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Program Files\WLAN\IEEE 802.11b Wlreless LAN\WlanMonitor.exe
C:\Program Files\Blue Coat K9 Web Protection\k9filter.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\lxeacoms.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\avira\antivir desktop\avcenter.exe
C:\Users\AZTS5\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [????r]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ieee80~1.lnk - c:\program files\wlan\ieee 802.11b wlreless lan\WlanMonitor.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: mdlp.org
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
AppInit_DLLs: gudasene.dll
LSA: Notification Packages = scecli gitabiga.dll

============= SERVICES / DRIVERS ===============

R1 bckd;bckd;c:\windows\system32\drivers\bckd.sys [2009-12-11 74088]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20070813.001\IDSvix86.sys [2007-8-15 212280]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-10 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-10 267944]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-10 61960]
R2 bckwfs;Blue Coat K9 Web Protection;c:\program files\blue coat k9 web protection\k9filter.exe [2009-12-11 1078632]
R3 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
S3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-1-22 31232]
S3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2006-11-20 37008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2006-11-2 16896]

=============== Created Last 30 ================

2011-01-22 01:39:25 5890896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{b26c0491-9c62-4b42-832d-74eb0ea0d6ba}\mpengine.dll
2011-01-17 02:08:28 -------- d-----w- C:\e0d46ea3875b87a486
2011-01-13 01:26:55 -------- d-----w- c:\program files\MDLP Tools
2011-01-05 21:39:38 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\backup\mpengine.dll
2011-01-05 21:38:58 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-05 05:54:37 -------- d-----w- c:\progra~2\Lx_cats
2011-01-05 05:12:03 -------- d-----w- c:\progra~2\Ezprint
2011-01-05 03:58:51 157696 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxeadrpp.dll
2011-01-05 03:43:12 40960 ----a-w- c:\windows\system32\lxeavs.dll
2011-01-05 03:42:39 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2011-01-05 03:42:38 86016 ----a-w- c:\windows\system32\lxeagcfg.dll
2011-01-05 03:42:35 294912 ----a-w- c:\windows\system32\lxeacui.dll
2011-01-05 03:42:35 110592 ----a-w- c:\windows\system32\lxeacuir.dll
2011-01-05 03:35:52 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2011-01-05 03:33:30 372736 ----a-w- c:\windows\system32\LXEAwupd.dll
2011-01-05 03:33:30 213672 ----a-w- c:\windows\system32\LXEAwupd.exe
2011-01-05 03:31:01 -------- d-----w- c:\program files\Lexmark
2011-01-05 03:29:45 -------- d-----w- c:\program files\Lexmark Toolbar
2011-01-05 03:28:52 -------- d-----w- c:\program files\Lexmark Printable Web
2011-01-05 03:09:41 -------- d-----w- c:\program files\Lexmark S300-S400 Series
2011-01-05 03:09:40 299008 ----a-w- c:\windows\system32\LXEAsm.dll
2011-01-05 03:09:40 23552 ----a-w- c:\windows\system32\LXEAsmr.dll
2011-01-03 04:30:38 420352 ----a-w- c:\windows\system32\vbscript.dll
2011-01-03 04:13:11 62464 ----a-w- c:\windows\system32\l3codeca.acm
2011-01-03 04:13:11 220672 ----a-w- c:\windows\system32\l3codecp.acm

==================== Find3M ====================


============= FINISH: 15:59:14.37 ===============




RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6000
Number of processors #1
==============================================
>Drivers
==============================================
0x88655000 C:\Windows\system32\DRIVERS\atikmdag.sys 5943296 bytes (ATI Technologies Inc., ATI Radeon Kernel Mode Driver)
0x82000000 C:\Windows\system32\ntkrnlpa.exe 3805184 bytes (Microsoft Corporation, NT Kernel & System)
0x82000000 PnpManager 3805184 bytes
0x82000000 RAW 3805184 bytes
0x82000000 WMIxWDM 3805184 bytes
0x8DF61000 C:\Windows\system32\drivers\RTKVHDA.sys 3108864 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x96C00000 Win32k 2097152 bytes
0x96C00000 C:\Windows\System32\win32k.sys 2097152 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x840BF000 C:\Windows\System32\Drivers\Ntfs.sys 1081344 bytes (Microsoft Corporation, NT File System Driver)
0x83E2C000 C:\Windows\system32\drivers\ndis.sys 1064960 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8DE5E000 C:\Windows\system32\DRIVERS\HSX_DPV.sys 1060864 bytes (Conexant Systems, Inc., HSF_DP driver)
0x8071F000 C:\Windows\system32\CI.dll 921600 bytes (Microsoft Corporation, Code Integrity Module)
0x8FEF5000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x8EA10000 C:\Windows\System32\drivers\tcpip.sys 856064 bytes (Microsoft Corporation, TCP/IP Driver)
0x8D23E000 C:\Windows\system32\DRIVERS\HSX_CNXT.sys 737280 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0x8900A000 C:\Windows\System32\drivers\dxgkrnl.sys 643072 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8EF15000 C:\Windows\system32\drivers\spsys.sys 581632 bytes (Microsoft Corporation, security processor)
0x89104000 C:\Windows\system32\DRIVERS\bcmwl6.sys 548864 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0x806A4000 C:\Windows\system32\drivers\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0x84055000 C:\Windows\System32\Drivers\ksecdd.sys 434176 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x8EEAF000 C:\Windows\system32\drivers\HTTP.sys 417792 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x884D5000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 405504 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x971B0000 C:\Windows\System32\ATMFD.DLL 311296 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x8F2D9000 C:\Windows\System32\DRIVERS\srv.sys 311296 bytes (Microsoft Corporation, Server driver)
0x83FB6000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x87F44000 C:\Windows\system32\drivers\afd.sys 290816 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x8042A000 C:\Windows\system32\drivers\acpi.sys 274432 bytes (Microsoft Corporation, ACPI Driver for NT)
0x87EF0000 C:\Windows\system32\DRIVERS\storport.sys 262144 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x880DB000 C:\Windows\system32\DRIVERS\HSXHWAZL.sys 249856 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0x88618000 C:\Windows\system32\DRIVERS\USBPORT.SYS 249856 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8047A000 C:\Windows\system32\CLFS.SYS 241664 bytes (Microsoft Corporation, Common Log File System Driver)
0x8819B000 C:\Windows\system32\DRIVERS\rdbss.sys 241664 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8F129000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 233472 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x841C7000 C:\Windows\system32\drivers\NETIO.SYS 233472 bytes (Microsoft Corporation, Network I/O Subsystem)
0x88165000 C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20070813.001\IDSvix86.sys 221184 bytes (Symantec Corporation, IDS Core Driver)
0x8401F000 C:\Windows\system32\drivers\volsnap.sys 221184 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x823A1000 ACPI_HAL 212992 bytes
0x823A1000 C:\Windows\system32\hal.dll 212992 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x885BA000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x87FF0000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x83F49000 C:\Windows\system32\drivers\fltmgr.sys 200704 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x852F3000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x880AF000 C:\Windows\System32\Drivers\SYMTDI.SYS 180224 bytes (Symantec Corporation, Network Dispatch Driver)
0x87E05000 C:\Windows\system32\DRIVERS\msiscsi.sys 176128 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x83E01000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8D6F5000 C:\Windows\system32\DRIVERS\nwifi.sys 176128 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x87CFC000 C:\Windows\system32\DRIVERS\SynTP.sys 176128 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x885EE000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x8062D000 C:\Windows\system32\DRIVERS\pcmcia.sys 172032 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x890DE000 C:\Windows\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0x83F7A000 C:\Windows\system32\DRIVERS\SCSIPORT.SYS 155648 bytes (Microsoft Corporation, SCSI Port Driver)
0x84D0D000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x843B4000 C:\Windows\System32\drivers\ecache.sys 151552 bytes (Microsoft Corporation, Special Memory Device Cache)
0x8067F000 C:\Windows\system32\drivers\pci.sys 151552 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8F325000 C:\Windows\System32\DRIVERS\srv2.sys 147456 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x88400000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x8808C000 C:\Windows\system32\Drivers\SYMEVENT.SYS 143360 bytes (Symantec Corporation, Symantec Event Library)
0x84382000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x87DE4000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8EE8F000 C:\Windows\system32\drivers\mrxdav.sys 131072 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0x80607000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x8D6B6000 C:\Windows\system32\DRIVERS\irda.sys 122880 bytes (Microsoft Corporation, IRDA Protocol Driver)
0x8DE00000 C:\Windows\system32\DRIVERS\mrxsmb.sys 122880 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x8D316000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8D958000 C:\Windows\System32\DRIVERS\srvnet.sys 110592 bytes (Microsoft Corporation, Server Network driver)
0x8D93F000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x852C6000 C:\Windows\System32\drivers\fwpkclnt.sys 102400 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x87C3C000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x87CE4000 C:\Windows\system32\DRIVERS\sdbus.sys 98304 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x88448000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Client MUP Surrogate Driver)
0x87CBA000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x8D91A000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x85263000 C:\Windows\System32\Drivers\dump_SI3112.sys 90112 bytes
0x87D3B000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x83FA0000 C:\Windows\system32\DRIVERS\SI3112.sys 90112 bytes (Silicon Image, Inc, Serial ATA miniport driver)
0x88433000 C:\Windows\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0x87C64000 C:\Windows\system32\drivers\bckd.sys 86016 bytes (Blue Coat Systems, Inc., Blue Coat Web Filter driver)
0x84CE5000 C:\Windows\system32\DRIVERS\tdx.sys 86016 bytes (Microsoft Corporation, TDI Translation Driver)
0x8D7DB000 C:\Windows\System32\drivers\mpsdrv.sys 81920 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x85352000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x87CD1000 C:\Windows\system32\DRIVERS\ESM7SK.sys 77824 bytes (ENE Technology Inc., ENE PCI SmartMedia / XD Card Reader Driver)
0x87D27000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x87D51000 C:\Windows\system32\DRIVERS\raspptp.sys 77824 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x8D7EF000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x87E31000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x87C94000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x87D91000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 73728 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x84005000 C:\Windows\system32\drivers\psdvdisk.sys 73728 bytes (HiTRUST, PSD Virtual Disk Driver)
0x843A3000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x87C25000 C:\Acer\Empowering Technology\eRecovery\int15.sys 69632 bytes
0x85340000 C:\Windows\system32\DRIVERS\EMS7SK.sys 65536 bytes (ENE Technology Inc., ENE PCI Memory Stick Card Reader Driver)
0x83F39000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x8E278000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x80665000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x852B0000 C:\Windows\System32\Drivers\NDProxy.SYS 65536 bytes (Microsoft Corporation, NDIS Proxy)
0x88423000 C:\Windows\system32\DRIVERS\amdk8.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x8E8F1000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x843D9000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x843E8000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8846E000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8845F000 C:\Windows\system32\DRIVERS\Rtnicxp.sys 61440 bytes (Realtek Semiconductor Corporation , Realtek 10/100 NDIS 5.1 Driver )
0x8847D000 C:\Windows\system32\DRIVERS\termdd.sys 61440 bytes (Microsoft Corporation, Terminal Server Driver)
0x8040A000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x97010000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x8E358000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8859A000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x80657000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x87ED6000 C:\Windows\system32\DRIVERS\usbehci.sys 57344 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x8EDBF000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x8ED98000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x87FA5000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x87F8B000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8046D000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x8F71C000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8804C000 C:\Windows\system32\DRIVERS\ESD7SK.sys 45056 bytes (ENE Technology Inc., ENE PCI Secure Digital / MMC Card Reader Driver)
0x88036000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x88041000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x8EB23000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x88062000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8EB39000 C:\Windows\System32\drivers\tcpipreg.sys 45056 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x88057000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x87C79000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x80675000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x87E58000 C:\Windows\system32\DRIVERS\DKbFltr.sys 40960 bytes (Dritek System Inc., Dritek PS2 Keyboard Filter Driver)
0x87EA8000 C:\Windows\System32\Drivers\dump_diskdump.sys 40960 bytes
0x8E76E000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x87E62000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x8E728000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x87E94000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x8E782000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x87E44000 C:\Windows\system32\DRIVERS\usbohci.sys 40960 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0x84371000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x8FA59000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x87DD0000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x83F30000 C:\Windows\system32\DRIVERS\psdfilter.sys 36864 bytes (HiTRUST, PSD Filter Driver)
0x843F7000 C:\Windows\system32\drivers\PSDNServ.sys 36864 bytes (HiTRUST, PSD Named Pipe Driver)
0x804BD000 C:\Windows\system32\PSHED.dll 36864 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x8FA74000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x97000000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x87D6D000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x87D7F000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x80421000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x80625000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x8437A000 C:\Windows\system32\DRIVERS\AtiPcie.sys 32768 bytes (ATI Technologies Inc., ATI PCIE Driver for ATI PCIE chipset)
0x804B5000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x804C6000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x80419000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8F349000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8F351000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x84017000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8E7CE000 C:\Windows\system32\DRIVERS\xaudio.sys 32768 bytes (Conexant Systems, Inc., Modem Audio Device Driver)
0x8F683000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x8F6A6000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x881DD000 C:\Users\AZTS5\AppData\Local\Temp\mbr.sys 28672 bytes
0x8F6AD000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x80400000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x84C65000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x84CB3000 C:\Windows\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0x853D8000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8FC73000 C:\PROGRA~1\LAUNCH~1\DPortIO.sys 16384 bytes (Dritek System Inc., General Port I/O)
0x8F2B1000 C:\Windows\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)
0x80603000 C:\Windows\system32\DRIVERS\SiWinAcc.sys 16384 bytes (Silicon Image, Inc, Windows Accelerator Driver)
0x80407000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x852A6000 C:\Windows\system32\DRIVERS\NTIDrvr.sys 8192 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
0x87CA8000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x852AC000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
==============================================
>Files
==============================================
!-->[Hidden] C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci
!-->[Hidden] C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.dir
!-->[Hidden] C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\exclamation[1].png
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\icon11[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\icon12[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\icon13[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\icon14[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\index[1].php
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5ET6YXY2\index[2].htm
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\914KHWTZ\envid-origin%7Curi-_channel_videogames%7Ctag-adj%7Cmtype-standard%7Csz-6x6%7Ctile-1%7Cdemo-D%7Cdemo-T%7Cdemo-2910%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-848;[1]p
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\914KHWTZ\uri-_channel_videogames%7Ctag-adj%7Cmtype-standard%7Csz-728x90%7Ctile-2%7Cdemo-D%7Cdemo-T%7Cdemo-2910%7Cdemo-2905%7Cdemo-2904%7Cdemo-1607%7Cdemo-848%7Cdcopt-ist;[1]p
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSPBSSM8\icon1[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSPBSSM8\icon2[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSPBSSM8\topic373831[1].html
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSPBSSM8\topic_button_right_hover[1].png
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\icon10[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\icon3[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\icon4[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\icon5[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\icon8[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\icon9[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QIHCD2L9\topic_button_left_hover[1].png
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W1FKXYB2\add[1].png
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W1FKXYB2\icon6[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W1FKXYB2\icon7[1].gif
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W1FKXYB2\index[1].htm
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W1FKXYB2\twitter[1].png
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Temp\~DF17A7.tmp::$DATA
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Temp\~DFA257.tmp::$DATA
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Temp\~DFED7.tmp::$DATA
!-->[Hidden] C:\Users\AZTS5\AppData\Local\Temp\~DFF405.tmp::$DATA
!-->[Hidden] C:\Users\AZTS5\AppData\Roaming\Microsoft\Windows\Cookies\azts5@bleepingcomputer[2].txt
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0009135E, Type: Inline - RelativeJump 0x8209135E-->82091365 [ntkrnlpa.exe]
[2972]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x75A585F8-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x75A929C9-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x75A514EA-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x75A665BF-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x75A7129F-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x75A6570D-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x75A9FBC9-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x75A9FACF-->00000000 [ieframe.dll]
[2972]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x75A6F1B3-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump 0x75A48A6E-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump 0x75A585F8-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump 0x75A929C9-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump 0x75A514EA-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump 0x75A665BF-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x75A7129F-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump 0x75A6570D-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump 0x75A9FBC9-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump 0x75A9FACF-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump 0x75A6F1B3-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump 0x75A4913D-->00000000 [ieframe.dll]
[3808]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump 0x75A47CE7-->00000000 [ieframe.dll]

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 23 January 2011 - 07:49 PM

kmj:

Posted Image Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • If you have trouble, stop and post back. Do not try to repeatedly run comboFix!
  • When finished, it will produce a report for you.
.
Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 kmj

kmj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 26 January 2011 - 10:39 PM

Combo fix ran to completion, However, when it rebooted my antivirus and spyware remover auto started. They were shut down for the initial running, but restarted at boot up. I wasn't sure if it disrupted the completion of Combofix.Attached File  ComboFix.txt   12.45KB   1 downloads

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 27 January 2011 - 10:18 PM

kmj:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lebipidaye]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lidakezow]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxpdvbhj]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost]

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 kmj

kmj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 29 January 2011 - 12:57 AM

Attached is the ComboFix log, but I did not find any program called MBAM.

Attached Files



#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 29 January 2011 - 01:05 AM

kmj:

The MBAM instructions were my error, sorry. Try this:

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • MBAM log
  • How is the computer running now

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 kmj

kmj
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 AM

Posted 30 January 2011 - 12:10 AM

Attached is the MBAM log. I am still experiencing extremely slow response time. When I click a program icon, it takes about 5 seconds before it begins launching. Then it can take several minutes before the program is open. Booting up takes nearly 10 minutes. Could I have lost some system files due to the virus?

Attached Files



#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 30 January 2011 - 07:59 PM

kmj:

Open notepad and copy/paste the text in the quotebox below into it:

@echo off
regedit.exe /e "%userprofile%\Desktop\look.txt" "[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"
Notepad.exe %userprofile%\Desktop\look.txt
Del %0


Save this as peek.bat Choose to "Save type as - All Files"
It should look like this: Posted Image
Double click on peek.bat & allow it to run. A notepad file (look.txt) will open. Attach that file to your next reply, please.

Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • Attach the look.txt file
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:06 AM

Posted 05 February 2011 - 11:13 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users