Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Virus, Rootkit Suspected


  • This topic is locked This topic is locked
2 replies to this topic

#1 Tsetra

Tsetra

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 09 September 2011 - 11:30 PM

First, the machine and its issues:
AMD Athlon 64 X2 Dual 2.10Ghz
1 gig RAM
On board everything else
Windows XP SP2

Second, the problem:
A virus that will not kick rocks already. It shuts down scans and prevents me from unhiding my files. Afterwards, it will prevent me from being able to do anything with the file at all. Nothing I do can fix the registry so it seems to keep changing it if I try. I can scan in safe-mode but the files seem to evade all attempts, I have used several scanners now to include Malware Bytes, SuperAntiSpyware, SpyBot, and more. RKill even gets shut down if I try to use it. It's like it seems to "know" when something can potentially detect and remove it.

Following the advice in a topic I found prior to signing up, I ran a couple scans of my system using RootRepeal and Win32kDiagnostics.

The Win32k log is as follows:

Running from: C:\Documents and Settings\[NAME]\My Documents\Downloads\Win32kDiag.exe

Log file at : C:\Documents and Settings\[NAME]\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Cannot access: C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini

[1] 2011-09-09 20:56:08 25600 C:\WINDOWS\assembly\GAC_MSIL\Desktop.ini ()

[1] 2004-08-04 05:00:00 2 C:\WINDOWS\desktop.ini ()

[1] 2010-12-09 17:48:27 65 C:\WINDOWS\Downloaded Program Files\desktop.ini ()

[1] 2010-12-09 17:48:58 67 C:\WINDOWS\Fonts\desktop.ini ()

[1] 2010-12-09 17:48:27 65 C:\WINDOWS\Offline Web Pages\desktop.ini ()

[1] 2010-12-09 09:40:02 62 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini ()

[1] 2010-12-09 09:40:02 62 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini ()

[1] 2010-12-09 17:52:22 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini ()

[1] 2010-12-09 17:52:22 113 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini ()

[1] 2010-12-09 17:52:22 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89MZCPQ3\desktop.ini ()

[1] 2010-12-09 17:52:22 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C1Q345UJ\desktop.ini ()

[1] 2010-12-09 17:52:22 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CDQRGTU7\desktop.ini ()

[1] 2010-12-09 17:52:22 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ()

[1] 2010-12-09 17:52:22 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GTUJW9AZ\desktop.ini ()

[1] 2010-12-09 17:52:22 67 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini ()

[1] 2010-12-09 17:48:29 181 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini ()

[1] 2010-12-09 09:40:02 62 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini ()

[1] 2010-12-09 17:49:23 348 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini ()

[1] 2010-12-09 17:49:23 482 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini ()

[1] 2010-12-09 17:49:23 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini ()

[1] 2010-12-09 17:49:23 148 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini ()

[1] 2010-12-09 17:49:23 84 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini ()

[1] 2004-08-04 05:00:00 2 C:\WINDOWS\system32\desktop.ini ()

[1] 2004-08-04 05:00:00 65 C:\WINDOWS\Tasks\desktop.ini ()

Finished!

And here is the RootRepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2011/09/09 21:25
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000674
Image Path: \Driver\00000674
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF74B7000	Size: 53248	File Visible: -	Signed: -
Status: -

Name: 4153024736
Image Path: \driver\4153024736
Address: 0xF7667000	Size: 45056	File Visible: No	Signed: -
Status: Hidden from the Windows API!

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF7358000	Size: 187776	File Visible: -	Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000	Size: 2142208	File Visible: -	Signed: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xF77F7000	Size: 19296	File Visible: -	Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xF3D4A000	Size: 138496	File Visible: -	Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF72EA000	Size: 95360	File Visible: -	Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7B3E000	Size: 3072	File Visible: -	Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79A9000	Size: 4224	File Visible: -	Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000	Size: 12288	File Visible: -	Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF76B7000	Size: 63744	File Visible: -	Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7567000	Size: 49536	File Visible: -	Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF74F7000	Size: 53248	File Visible: -	Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF74E7000	Size: 36352	File Visible: -	Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7302000	Size: 153344	File Visible: -	Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798B000	Size: 5888	File Visible: -	Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF75D7000	Size: 61440	File Visible: -	Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3B38000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B9000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xF3E95000	Size: 12288	File Visible: -	Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C1000	Size: 73728	File Visible: -	Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B99000	Size: 4096	File Visible: -	Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF7697000	Size: 34944	File Visible: -	Signed: -
Status: -

Name: fltMgr.sys
Image Path: fltMgr.sys
Address: 0xF72CB000	Size: 124800	File Visible: -	Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A5000	Size: 7936	File Visible: -	Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7328000	Size: 125056	File Visible: -	Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E2000	Size: 134400	File Visible: -	Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF6A66000	Size: 151552	File Visible: -	Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF64B5000	Size: 36864	File Visible: -	Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF780F000	Size: 28672	File Visible: -	Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF3EA5000	Size: 9600	File Visible: -	Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xBA48B000	Size: 263040	File Visible: -	Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xF7547000	Size: 52736	File Visible: -	Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7557000	Size: 41856	File Visible: -	Signed: -
Status: -

Name: ipfltdrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
Address: 0xBA3E3000	Size: 32896	File Visible: -	Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xF3D6C000	Size: 134912	File Visible: -	Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF3E35000	Size: 77824	File Visible: -	Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xF7607000	Size: 53248	File Visible: -	Signed: -
Status: Hidden from the Windows API!

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF7497000	Size: 35840	File Visible: -	Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF7757000	Size: 24576	File Visible: -	Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000	Size: 8192	File Visible: -	Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB9FBB000	Size: 171776	File Visible: -	Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6A8B000	Size: 143360	File Visible: -	Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF72A2000	Size: 92032	File Visible: -	Signed: -
Status: -

Name: mbam.sys
Image Path: C:\WINDOWS\system32\drivers\mbam.sys
Address: 0xBA85C000	Size: 14208	File Visible: -	Signed: -
Status: -

Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xF77EF000	Size: 32768	File Visible: -	Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF79AD000	Size: 4224	File Visible: -	Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF77C7000	Size: 23040	File Visible: -	Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF3E9D000	Size: 12160	File Visible: -	Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF74C7000	Size: 42240	File Visible: -	Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xBAD2B000	Size: 181248	File Visible: -	Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xF3C8D000	Size: 451456	File Visible: -	Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF782F000	Size: 19072	File Visible: -	Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF75B7000	Size: 35072	File Visible: -	Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF795F000	Size: 15488	File Visible: -	Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF71CD000	Size: 107904	File Visible: -	Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF71E8000	Size: 182912	File Visible: -	Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF793B000	Size: 9600	File Visible: -	Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xBAF84000	Size: 12928	File Visible: -	Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6A4F000	Size: 91776	File Visible: -	Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF75E7000	Size: 38016	File Visible: -	Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF7687000	Size: 34560	File Visible: -	Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xF3D8D000	Size: 162816	File Visible: -	Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF783F000	Size: 30848	File Visible: -	Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7215000	Size: 574592	File Visible: -	Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000	Size: 2142208	File Visible: -	Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A93000	Size: 2944	File Visible: -	Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9D3000	Size: 5783552	File Visible: -	Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xF6AE5000	Size: 6854464	File Visible: -	Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF74A7000	Size: 61056	File Visible: -	Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000	Size: 18688	File Visible: -	Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7347000	Size: 68224	File Visible: -	Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000	Size: 3328	File Visible: -	Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000	Size: 28672	File Visible: -	Signed: -
Status: -

Name: pfc.sys
Image Path: C:\WINDOWS\system32\drivers\pfc.sys
Address: 0xF792F000	Size: 10368	File Visible: -	Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000	Size: 2142208	File Visible: -	Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xF6505000	Size: 139264	File Visible: -	Signed: -
Status: -

Name: processr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys
Address: 0xF7537000	Size: 35328	File Visible: -	Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6A3E000	Size: 69120	File Visible: -	Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77AF000	Size: 17792	File Visible: -	Signed: -
Status: -

Name: qjuh.sys
Image Path: qjuh.sys
Address: 0xF7487000	Size: 54016	File Visible: No	Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7937000	Size: 8832	File Visible: -	Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF7587000	Size: 51328	File Visible: -	Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF7597000	Size: 41472	File Visible: -	Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF75A7000	Size: 48384	File Visible: -	Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF77BF000	Size: 16512	File Visible: -	Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000	Size: 2142208	File Visible: -	Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xF3CFC000	Size: 176512	File Visible: -	Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79B1000	Size: 4224	File Visible: -	Signed: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF6A0D000	Size: 196864	File Visible: -	Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7577000	Size: 57472	File Visible: -	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA05F000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: rt73.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rt73.sys
Address: 0xF3B50000	Size: 476544	File Visible: -	Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xF6527000	Size: 4759552	File Visible: -	Signed: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xF7797000	Size: 24576	File Visible: -	Signed: -
Status: -

Name: SASKUTIL.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
Address: 0xF3D28000	Size: 139264	File Visible: -	Signed: -
Status: -

Name: Scutum50.sys
Image Path: C:\WINDOWS\System32\Drivers\Scutum50.sys
Address: 0xF7807000	Size: 19072	File Visible: -	Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF72B9000	Size: 73472	File Visible: -	Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xBAA30000	Size: 336256	File Visible: -	Signed: -
Status: -

Name: StyleXPHelper.exe
Image Path: C:\Program Files\TGTSoft\StyleXP\StyleXPHelper.exe
Address: 0xF778F000	Size: 19456	File Visible: -	Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7997000	Size: 4352	File Visible: -	Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xBA8A0000	Size: 60800	File Visible: -	Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xF3DB5000	Size: 359040	File Visible: -	Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF779F000	Size: 20480	File Visible: -	Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF75C7000	Size: 40704	File Visible: -	Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF69B1000	Size: 209408	File Visible: -	Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79A1000	Size: 8192	File Visible: -	Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF776F000	Size: 26624	File Visible: -	Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF75F7000	Size: 57600	File Visible: -	Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF7767000	Size: 17024	File Visible: -	Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6AAE000	Size: 143360	File Visible: -	Signed: -
Status: -

Name: USBSTOR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xF77E7000	Size: 26496	File Visible: -	Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF781F000	Size: 20992	File Visible: -	Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6AD1000	Size: 81920	File Visible: -	Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF74D7000	Size: 52352	File Visible: -	Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF7677000	Size: 34560	File Visible: -	Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF7837000	Size: 20480	File Visible: -	Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xBA79B000	Size: 82944	File Visible: -	Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000	Size: 1839104	File Visible: -	Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000	Size: 1839104	File Visible: -	Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000	Size: 8192	File Visible: -	Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000	Size: 2142208	File Visible: -	Signed: -
Status: -



I'm at my wits end on this. Hopefully I did this correctly as per forum rules, not trying to be a pain here. Thank you.

BC AdBot (Login to Remove)

 


#2 Tsetra

Tsetra
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 September 2011 - 01:39 PM

As per your suggestion, I ran ComboFix which I had to do in Safe Mode as the rootkit was shutting it down in normal mode of operation. CF detected the issue as Rootkit.Zeroaccess and removed it. Running some scans using the other programs suggested showed no further threats and the problem is now gone. Thank you for your help, I'll be sure to pass on this forum to anyone who needs prompt assistance and doesn't want to wait 12 hours or more lest they begin to lose important computer files.

Edit - Feel free to delete/ban/block this account. Pretty worthless and I'm not coming back after this edit anyways.

Edited by Tsetra, 10 September 2011 - 01:42 PM.


#3 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:11 PM

Posted 11 September 2011 - 05:31 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users