0

I'm afraid that problem is still there. I don't think its doing any harm. It's just a bloody nuisance.

0

I would find it a nuisance! You might try repairing IE8. Go Start, Run, paste or type in...
%windir%\inf
Locate ie.inf, rclick it, and choose Install. You may need your installation cd if the requisite i386 files are not on hdd.

Edited by gerbil: n/a

0

I already uninstalled IE back to the version that was on the pc from new (IE6) and then downloaded and reinstalled IE8. IE is working fine. For some reason its running twice in process manager even when IE is not loaded. If I start IE it then appears a third time in processes. It seems as if one of the other instances is falling over and throwing the error.

I'm getting closer to reformatting and reinstalling Windows, although I hate to admit defeat, my mate wants his computer back.

0

There is no need for you to run IE8. It was released basically for use on Vista and Windows 7. It has caused and does cause problems for many running XP and it is considered an Optional update for XP, not a critical or required update. Roll it back to IE6 and then update only to IE7 and then configure Windows Updates to never offer IE8 to you again.

Edited by jholland1964: n/a

0

The internet explorer error comes up regardless of which browser is installed. We run IE8 on Windows XP machines across our organisation without any problems

0

Doesn't matter if you are running IE8 on other machines and they happen to work fine, this one does not. As I said, it works fine on some machines running XP and others it does not because it is basically for Vista and Windows 7 and not XP, though it will run on some XP machines, not all. It could be the core file is damaged so no matter what version you would run you would get the error.
Have you run Check Disk?

Edited by jholland1964: n/a

0

I use IE6... but only when I must. [Some routers etc will not load config files correctly with FF or Opera!!, some M$ sites only accept IE still ]. It's fine. For IE6 there is a download of repair files for IE installations, IEFix 1.6; I don't know IE8, and am happy to accept Judy's guidance on that.Anyway, back to your point... something is calling IE, try to find that. I'd try ProcMon, run it as a boot monitor and then search for iexplore.exe calls.

0

Thanks for the suggestions. I'll give it a blast on Monday as I left the computer in question in work. Enjoy the rest of the weekend.

0

Ran procmon as advised gerbil and in the enormous amount of data generated I was able to pick out the following:
Some of the IE sessions being launched attempt to connect to these websites with the arguments shown:
www.findclean.org/ac.php?aid=5&cid=direct2
www.clickport.org/ac.php?aid=5&cid=direct2

Another instance of IE runs as follows:
Iexplore.exe SC0DEF:3016 CREDAT:79873

I did a registry search and found entries for Search Assistant in
HKCU\software\microsoft\Searsh Assistant\ACMru\5604 and,
HK_USERS\ <long number > \software\microsoft\Search Assistant\ACMru\5604

Each reg entries have the following REGSZ values
000 REG_SZ iexplore.exe http;//clickport.org /ac.php?aid=5&cid=direct2
001 REG_SZ Combofix
002 REG_SZ serf_conf
003 REG_SZ msimg32

The only difference is that www.findclean.org is ised in the second reg key.

I remember Search Assistant as being a spyware programme and know that msimg32.dll can sometimes be a trojan component. but the Combofix entry has me puzzled.

ACMru Search Assistant and its sub-keys would seem to be the problem. What do you think ?

1

The ACMRU key records Most Recent Used uses of the Search Assistant [eg, you search for a file with Search in Explorer, the detail is recorded there. But it does not have to be user searches that get entered there, as shown by this one: iexplore.exe http;//clickport.org /ac.php?aid=5&cid=direct2
There may be four subkeys:
- 5001: terms used for Internet Search Assistant
- 5603: terms used for files and folders search
- 5604: terms used in a word search
- 5647: terms used in the other computers or people search
The actual entries there are of no harm, merely system record keeping. You can delete them safely [the 001..003 names]. But you might wonder from where that one originated. I cannot raise the site, nor the findclean.org site. Google is of no help, except it turns up this page:http://www.threatexpert.com/report.aspx?md5=927f2c1b6c8d732a7ba55a5969393ed3 with another connection attempt to clickport.org amongst other suspect sites.
This instance of iexplore: iexplore.exe SC0DEF:3016 CREDAT:79873 -those codes show that it is a child process of an iexplore.exe frame process with a PID of 3016 in this case, the code defines their relationshp so that they know each other.
It is IE8 at play. Process Explorer will give you the actual command line which opened iexplore.exe.
Keep hunting... there is something there, and it is bad.

0

Thanks gerbil. After posting my last I did a bit more digging and found some information on ACMRU indicating that its benigh. Sort of jumped the gun a bit. Was also unable to find either of the sites mentioned in my post.
I now need to find a good tutorial on process explorer....

0

Unfortunately I haven't been able to use process explorer or process monitor to discover how Internet Explorer is being launched. Any guidance would be appreciated.
However.
I searched file contents on the PC for one of the destination websites, www.findclean.org and it flagged up a file called serf_conf.log in two of the PC user's profiles:
\\documents and settings\username\local settings\temp\serf_conf.log

I have attached the contents of one of these files below.
The file seems to get written fairly regularly, so is there any way to set something up that will be triggered by the file write operation and will capture the name of the programme that creates the serf_conf.log file ?
Or is this another false alarm ?....

Contents of serf_conf.log below
+++++++++++++++++++++++++++++++++

[PANEL_SIGN_CHECK]
[runs_count_begin]
60
[runs_count_end]
[urls_to_serf_begin]
http://www.searchfine.org/ac.php?aid=433&sid=direct2
http://www.searchfine.org/ac.php?aid=433&sid=direct2
http://www.searchfine.org/ac.php?aid=433&sid=direct2
http://www.clickport.org/ac.php?aid=433&sid=direct2
http://www.searchfine.org/ac.php?aid=433&sid=direct2
[urls_to_serf_end]
[refs_to_change_begin]
www.clickport.org/ac.php=|www.clickport.org/search.php
www.searchfine.org/ac.php=|www.searchfine.org/search.php
[refs_to_change_end]
[panels_begin]
searchsunny.org
onlineprostats.com
searchsteady.org
searchhardware.org
findcondemned.org
searchswitch.org
[panels_end]
[popupcount_begin]
3
[popupcount_end]
[popupurl_begin]
[popupurl_end]
[popupurl2_begin]
[popupurl2_end]
[date_begin]
28:1:2011
[date_end][PANEL_SIGN_CHECK]
[runs_count_begin]
60
[runs_count_end]
[urls_to_serf_begin]
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.searchteeny.org/ac.php?aid=433&sid=direct2
http://www.clickport.org/ac.php?aid=433&sid=direct2
http://www.clickport.org/ac.php?aid=433&sid=direct2
http://www.clickport.org/ac.php?aid=433&sid=direct2
[urls_to_serf_end]
[refs_to_change_begin]
www.clickport.org/ac.php=|www.clickport.org/search.php
www.searchteeny.org/ac.php=|www.searchteeny.org/search.php
www.findclean.org/ac.php=|www.findclean.org/search.php
[refs_to_change_end]
[panels_begin]
searchswitch.org
searchsteady.org
searchhardware.org
onlineprostats.com
searchsunny.org
searchdrab.org
[panels_end]
[popupcount_begin]
3
[popupcount_end]
[popupurl_begin]
[popupurl_end]
[popupurl2_begin]
[popupurl2_end]
[date_begin]
31:1:2011
[date_end][PANEL_SIGN_CHECK]
[runs_count_begin]
60
[runs_count_end]
[urls_to_serf_begin]
http://www.clickfixed.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.clickfixed.org/ac.php?aid=433&sid=direct2
http://www.clickfixed.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
http://www.clickfixed.org/ac.php?aid=433&sid=direct2
http://www.findclean.org/ac.php?aid=433&sid=direct2
[urls_to_serf_end]
[refs_to_change_begin]
www.clickfixed.org/ac.php=|www.clickfixed.org/search.php
www.findclean.org/ac.php=|www.findclean.org/search.php
[refs_to_change_end]
[panels_begin]
onlineprostats.com
searchsteep.org
searchswitch.org
searchsunny.org
searchdrab.org
searchhardware.org
[panels_end]
[popupcount_begin]
3
[popupcount_end]
[popupurl_begin]
[popupurl_end]
[popupurl2_begin]
[popupurl2_end]
[date_begin]
1:2:2011
[date_end]

1

Been watching Howl's Moving Castle by Miyazaki.... a sublime anime, as are all by him... Anyway...
The serf_conf log... it originates from libserf, a language, it allows the client to make HTTP requests. I don't know if the config log that iexplore built is where it's been or where it's going, the former I guess. I'm out of my depth.
Something is directing IE, and it is still hidden. You might try another rootkit scan or three, one I like is Rootkit Unhooker [they had a very public and enduring slanging match with GMER & other AR software authors, but now are involved with M$...check Help About.. :)]. Get it, and any other you like from here: http://www.antirootkit.com/software/index.htm
I suggest...
R Unhooker -from this site is an earlier version than one I have... you need the author's site, or http://www.rootkit.com/newsread.php?newsid=902
R Revealer.
IceSword.
R Unhooker... as with IceSword, check each tab; RU scans run automatically except for Files & Hooks. Look for unknown hooks. Generally a rootkit's presence will be well indicated. Don't be surpised by SPTD software you may have throwing up alerts eg Alcohol.

0

Getting the rootkit tools now. Thanks again.
On another subject, you've watched Spirited Away I presume or Ponyo ?
I'm a big fan of Porco Rosso and have a soft spot for Kiki's Delivery Service

0

His work is supreme... of the four you mention, I have yet to see Ponyo.
I love the artwork [all hand-drawn/painted, not a computer graphic anywhere]; Disney or the modern tech artists cannot hold a candle to Miyazaki's works. They involve me, transport me, "simple" stories of magic and rightness.
I was starting to think I was alone.
Right, those tools, before you run them close off all other applications. Makes looking over the results easier.

Edited by gerbil: n/a

0

Forgot to mention My Neighbour Totoro....

Already ran Rootjit Unhooker overnight but with some apps still running.
Have a report file from it which is attached to the bottom of this. It sees somting suspicious I think.

Quick question:
Is it true that Tasmanians refer to Australia as "the north island" ?
If so, then it cracks me up...:icon_lol:

++++++++++ Rootkit Unhooker Report ++++++++++++

RkUnhooker report generator v0.7
==============================================
Rootkit Unhooker kernel version: 3.7.300.509
==============================================
Windows Major Version: 5
Windows Minor Version: 1
Windows Build Number: 2600
==============================================
>SSDT State
NtClose
Actual Address 0xA0F3D812
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtCreateKey
Actual Address 0xA0F3D608
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtDeleteKey
Actual Address 0xA0F3D4B0
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtDeleteValueKey
Actual Address 0xA0F3D4F6
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtEnumerateKey
Actual Address 0xA0F3D3F6
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtEnumerateValueKey
Actual Address 0xA0F3D352
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtFlushKey
Actual Address 0xA0F3D44A
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtLoadKey
Actual Address 0xA0F3D976
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtOpenKey
Actual Address 0xA0F3D7D4
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtQueryKey
Actual Address 0xA0F3D042
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtQueryValueKey
Actual Address 0xA0F3D16A
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtSetValueKey
Actual Address 0xA0F3D28E
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
NtUnloadKey
Actual Address 0xA0F3DAC6
Hooked by: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
==============================================
>Shadow
==============================================
>Processes
Process: System
Process Id: 4
EPROCESS Address: 0x86FC49C8

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 580
EPROCESS Address: 0x85F17C78

Process: C:\WINDOWS\system32\smss.exe
Process Id: 592
EPROCESS Address: 0x86E0C030

Process: C:\WINDOWS\system32\dllhost.exe
Process Id: 612
EPROCESS Address: 0x86B5BB18

Process: C:\WINDOWS\system32\csrss.exe
Process Id: 640
EPROCESS Address: 0x86BBEB80

Process: C:\WINDOWS\system32\winlogon.exe
Process Id: 664
EPROCESS Address: 0x86CFF030

Process: C:\WINDOWS\system32\services.exe
Process Id: 708
EPROCESS Address: 0x86948C58

Process: C:\WINDOWS\system32\lsass.exe
Process Id: 720
EPROCESS Address: 0x86BF01E8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 892
EPROCESS Address: 0x866B0C10

Process: C:\WINDOWS\system32\alg.exe
Process Id: 940
EPROCESS Address: 0x864C4DA0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 996
EPROCESS Address: 0x866BC240

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1044
EPROCESS Address: 0x866CD7F8

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1096
EPROCESS Address: 0x8671A3D0

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1156
EPROCESS Address: 0x86382030

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1228
EPROCESS Address: 0x86BBD030

Process: C:\WINDOWS\system32\igfxpers.exe
Process Id: 1368
EPROCESS Address: 0x86429668

Process: C:\WINDOWS\system32\spoolsv.exe
Process Id: 1400
EPROCESS Address: 0x8676C238

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1472
EPROCESS Address: 0x86BD3710

Process: C:\WINDOWS\system32\bgsvcgen.exe
Process Id: 1520
EPROCESS Address: 0x867897F8

Process: C:\WINDOWS\ehome\ehrecvr.exe
Process Id: 1556
EPROCESS Address: 0x866B03D8

Process: C:\WINDOWS\ehome\ehSched.exe
Process Id: 1572
EPROCESS Address: 0x8678EC10

Process: C:\WINDOWS\system32\HPZipm12.exe
Process Id: 1648
EPROCESS Address: 0x867DC658

Process: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
Process Id: 1708
EPROCESS Address: 0x86E6D030

Process: C:\WINDOWS\system32\svchost.exe
Process Id: 1752
EPROCESS Address: 0x86803990

Process: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
Process Id: 1832
EPROCESS Address: 0x86BC1DA0

Process: C:\WINDOWS\ehome\mcrdsvc.exe
Process Id: 1992
EPROCESS Address: 0x868A73D8

Process: C:\WINDOWS\explorer.exe
Process Id: 2004
EPROCESS Address: 0x863313C0

Process: C:\WINDOWS\system32\hkcmd.exe
Process Id: 2448
EPROCESS Address: 0x85F89938

Process: C:\Program Files\AnalogX\CookieWall\cookie.exe
Process Id: 2500
EPROCESS Address: 0x8647EDA0

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 3200
EPROCESS Address: 0x8603A330

Process: C:\Program Files\Internet Explorer\iexplore.exe
Process Id: 3348
EPROCESS Address: 0x86547D48

Process: C:\WINDOWS\system32\wscntfy.exe
Process Id: 3912
EPROCESS Address: 0x866B5550

Process: G:\Anti Virus_regcleaners\Runhooker\rku37300509.exe
Process Id: 4416
EPROCESS Address: 0x868AF030

==============================================
>Drivers
Driver: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000
Size: 2150400 bytes

Driver: PnpManager
Address: 0x804D7000
Size: 2150400 bytes

Driver: RAW
Address: 0x804D7000
Size: 2150400 bytes

Driver: WMIxWDM
Address: 0x804D7000
Size: 2150400 bytes

Driver: Win32k
Address: 0xBF800000
Size: 1855488 bytes

Driver: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000
Size: 1855488 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xF6AFE000
Size: 1306624 bytes

Driver: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0xAA6AA000
Size: 1069056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
Address: 0xF6948000
Size: 1044480 bytes

Driver: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBF077000
Size: 929792 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Address: 0xF68A1000
Size: 684032 bytes

Driver: Ntfs.sys
Address: 0xF72B4000
Size: 577536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xA9C2F000
Size: 458752 bytes

Driver: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xF67C5000
Size: 385024 bytes

Driver: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA9E49000
Size: 364544 bytes

Driver: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xA18C9000
Size: 360448 bytes

Driver: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000
Size: 290816 bytes

Driver: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xA1971000
Size: 266240 bytes

Driver: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBF042000
Size: 217088 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
Address: 0xF6A6A000
Size: 212992 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xF6823000
Size: 196608 bytes

Driver: ACPI.sys
Address: 0xF740F000
Size: 188416 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xA19DA000
Size: 184320 bytes

Driver: NDIS.sys
Address: 0xF7287000
Size: 184320 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xA9C9F000
Size: 176128 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xF6AC2000
Size: 163840 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xA9E21000
Size: 163840 bytes

Driver: dmio.sys
Address: 0xF73B9000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xF687B000
Size: 155648 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xA9DFB000
Size: 155648 bytes

Driver: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA1104000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xAA686000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xF6A9E000
Size: 147456 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xF6A47000
Size: 143360 bytes

Driver: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xA9DB1000
Size: 139264 bytes

Driver: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF020000
Size: 139264 bytes

Driver: ACPI_HAL
Address: 0x806E4000
Size: 134400 bytes

Driver: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000
Size: 134400 bytes

Driver: fltmgr.sys
Address: 0xF7381000
Size: 131072 bytes

Driver: ftdisk.sys
Address: 0xF73DF000
Size: 126976 bytes

Driver: Mup.sys
Address: 0xF726D000
Size: 106496 bytes

Driver: atapi.sys
Address: 0xF73A1000
Size: 98304 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA1AA7000
Size: 98304 bytes

Driver: KSecDD.sys
Address: 0xF7358000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xF6864000
Size: 94208 bytes

Driver: WudfPf.sys
Address: 0xF7341000
Size: 94208 bytes

Driver: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xA1594000
Size: 86016 bytes

Driver: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xF6AEA000
Size: 81920 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xA9EA2000
Size: 77824 bytes

Driver: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000
Size: 73728 bytes

Driver: sr.sys
Address: 0xF736F000
Size: 73728 bytes

Driver: pci.sys
Address: 0xF73FE000
Size: 69632 bytes

Driver: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xF6853000
Size: 69632 bytes

Driver: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xA1FDD000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF775E000
Size: 65536 bytes

Driver: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xF75FE000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF776E000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xA1739000
Size: 61440 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF762E000
Size: 61440 bytes

Driver: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF012000
Size: 57344 bytes

Driver: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF757E000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF778E000
Size: 53248 bytes

Driver: VolSnap.sys
Address: 0xF755E000
Size: 53248 bytes

Driver: C:\WINDOWS\system32\Drivers\PROCMON20.SYS
Address: 0xA0F39000
Size: 49152 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF77AE000
Size: 49152 bytes

Driver: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xF76DE000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF777E000
Size: 45056 bytes

Driver: MountMgr.sys
Address: 0xF754E000
Size: 45056 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF779E000
Size: 45056 bytes

Driver: isapnp.sys
Address: 0xF753E000
Size: 40960 bytes

Driver: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF75BE000
Size: 40960 bytes

Driver: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF75AE000
Size: 40960 bytes

Driver: disk.sys
Address: 0xF756E000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xAA33D000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xF774E000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF759E000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF76BE000
Size: 36864 bytes

Driver: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xF76AE000
Size: 36864 bytes

Driver: C:\WINDOWS\System32\Drivers\cdrbsdrv.SYS
Address: 0xF7826000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0xF78C6000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xF781E000
Size: 32768 bytes

Driver: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF7906000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7816000
Size: 32768 bytes

Driver: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF78F6000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF77BE000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Address: 0xA7A94000
Size: 28672 bytes

Driver: C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
Address: 0xF782E000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF784E000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF7856000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\rkhdrv40.SYS
Address: 0xAA285000
Size: 24576 bytes

Driver: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xF780E000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF78FE000
Size: 24576 bytes

Driver: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF793E000
Size: 20480 bytes

Driver: PartMgr.sys
Address: 0xF77C6000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\Drivers\PROCEXP141.SYS
Address: 0xA6477000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF783E000
Size: 20480 bytes

Driver: PxHelp20.sys
Address: 0xF77CE000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7846000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7836000
Size: 20480 bytes

Driver: C:\WINDOWS\System32\watchdog.sys
Address: 0xA6A28000
Size: 20480 bytes

Driver: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xF7A0E000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\drivers\MODEMCSA.sys
Address: 0xF7A0A000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xF79EE000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xA2671000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\DRIVERS\packet.sys
Address: 0xA2675000
Size: 16384 bytes

Driver: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF794E000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xA7989000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xF67A9000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xF722C000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Address: 0xA7985000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xF67A1000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF6EBB000
Size: 12288 bytes

Driver: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xF7224000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xF7214000
Size: 12288 bytes

Driver: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF7AB0000
Size: 8192 bytes

Driver: dmload.sys
Address: 0xF7A44000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AD0000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF7AAE000
Size: 8192 bytes

Driver: intelide.sys
Address: 0xF7A42000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7A3E000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xF7AB4000
Size: 8192 bytes

Driver: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF7AB6000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7A7E000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF7A84000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7A40000
Size: 8192 bytes

Driver: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xF7C7F000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7B5A000
Size: 4096 bytes

Driver: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7BC6000
Size: 4096 bytes

Driver: pciide.sys
Address: 0xF7B06000
Size: 4096 bytes


!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

==============================================
>Stealth

Unknown page with executable code
Address: 0x86F243CC
Size: 3124

Unknown page with executable code
Address: 0x86F2328A
Size: 3446

Unknown page with executable code
Address: 0x86F29143
Size: 3773
==============================================
>Files

Suspect File: C:\Documents and Settings\All Users\Application Data\Real\setup\config.ini::$DATA Status: Hidden


Suspect File: C:\Qoobox\BackEnv\AppData.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Cache.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Cookies.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Desktop.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Favorites.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\History.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\LocalAppData.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\LocalSettings.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Music.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\NetHood.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Personal.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Pictures.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\PrintHood.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Profiles.Folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Programs.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Recent.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\SendTo.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\SetPath.bat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\StartMenu.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\StartUp.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\SysPath.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\Templates.folder.dat Status: Hidden


Suspect File: C:\Qoobox\BackEnv\VikPev00 Status: Hidden

==============================================
>Hooks

ntkrnlpa.exe+0x0002D608, Type: Inline - RelativeJump at address 0x80504608 hook handler located in [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump at address 0x80545CBE hook handler located in [ntkrnlpa.exe]
[2004]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x01001268 hook handler located in [shimeng.dll]
[3200]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040106C hook handler located in [shimeng.dll]
[3200]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401098 hook handler located in [aclayers.dll]
[3200]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010E8 hook handler located in [aclayers.dll]
[3200]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004010C0 hook handler located in [aclayers.dll]
[3200]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]
[3200]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]
[3200]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump at address 0x3D94CF4E hook handler located in [unknown_code_page]
[3200]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump at address 0x3D94FE49 hook handler located in [unknown_code_page]
[3200]iexplore.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x3D94D508 hook handler located in [unknown_code_page]
[3200]iexplore.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - RelativeJump at address 0x3D94FBFB hook handler located in [unknown_code_page]
[3200]iexplore.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x3D94DEAE hook handler located in [unknown_code_page]
[3200]iexplore.exe-->wininet.dll-->InternetConnectW, Type: Inline - RelativeJump at address 0x3D94F862 hook handler located in [unknown_code_page]
[3200]iexplore.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB3E2B hook handler located in [unknown_code_page]
[3200]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71AB4A07 hook handler located in [unknown_code_page]
[3200]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump at address 0x71AB2A6F hook handler located in [unknown_code_page]
[3200]iexplore.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump at address 0x71AB5355 hook handler located in [unknown_code_page]
[3200]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB676F hook handler located in [unknown_code_page]
[3200]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB4C27 hook handler located in [unknown_code_page]
[3348]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040106C hook handler located in [shimeng.dll]
[3348]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401098 hook handler located in [aclayers.dll]
[3348]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010E8 hook handler located in [aclayers.dll]
[3348]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004010C0 hook handler located in [aclayers.dll]
[3348]iexplore.exe-->user32.dll-->CallNextHookEx, Type: Inline - RelativeJump at address 0x7E42B3C6 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->CreateWindowExW, Type: Inline - RelativeJump at address 0x7E42D0A3 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->DialogBoxIndirectParamA, Type: Inline - RelativeJump at address 0x7E456D7D hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->DialogBoxIndirectParamW, Type: Inline - RelativeJump at address 0x7E432072 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->DialogBoxParamA, Type: Inline - RelativeJump at address 0x7E43B144 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump at address 0x7E4247AB hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->MessageBoxExA, Type: Inline - RelativeJump at address 0x7E45085C hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->MessageBoxExW, Type: Inline - RelativeJump at address 0x7E450838 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->MessageBoxIndirectA, Type: Inline - RelativeJump at address 0x7E43A082 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->MessageBoxIndirectW, Type: Inline - RelativeJump at address 0x7E4664D5 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->SetWindowsHookExW, Type: Inline - RelativeJump at address 0x7E42820F hook handler located in [ieframe.dll]
[3348]iexplore.exe-->user32.dll-->UnhookWindowsHookEx, Type: Inline - RelativeJump at address 0x7E42D5F3 hook handler located in [ieframe.dll]
[3348]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersA, Type: Inline - RelativeJump at address 0x3D94CF4E hook handler located in [unknown_code_page]
[3348]iexplore.exe-->wininet.dll-->HttpAddRequestHeadersW, Type: Inline - RelativeJump at address 0x3D94FE49 hook handler located in [unknown_code_page]
[3348]iexplore.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump at address 0x3D94D508 hook handler located in [unknown_code_page]
[3348]iexplore.exe-->wininet.dll-->HttpOpenRequestW, Type: Inline - RelativeJump at address 0x3D94FBFB hook handler located in [unknown_code_page]
[3348]iexplore.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump at address 0x3D94DEAE hook handler located in [unknown_code_page]
[3348]iexplore.exe-->wininet.dll-->InternetConnectW, Type: Inline - RelativeJump at address 0x3D94F862 hook handler located in [unknown_code_page]
[3348]iexplore.exe-->ws2_32.dll-->closesocket, Type: Inline - RelativeJump at address 0x71AB3E2B hook handler located in [unknown_code_page]
[3348]iexplore.exe-->ws2_32.dll-->connect, Type: Inline - RelativeJump at address 0x71AB4A07 hook handler located in [unknown_code_page]
[3348]iexplore.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - RelativeJump at address 0x71AB2A6F hook handler located in [unknown_code_page]
[3348]iexplore.exe-->ws2_32.dll-->gethostbyname, Type: Inline - RelativeJump at address 0x71AB5355 hook handler located in [unknown_code_page]
[3348]iexplore.exe-->ws2_32.dll-->recv, Type: Inline - RelativeJump at address 0x71AB676F hook handler located in [unknown_code_page]
[3348]iexplore.exe-->ws2_32.dll-->send, Type: Inline - RelativeJump at address 0x71AB4C27 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->GetTraceEnableFlags, Type: IAT modification at address 0x00401004 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->GetTraceEnableLevel, Type: IAT modification at address 0x00401008 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->GetTraceLoggerHandle, Type: IAT modification at address 0x0040100C hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->RegCloseKey, Type: IAT modification at address 0x00401018 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->RegisterTraceGuidsW, Type: IAT modification at address 0x00401014 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->RegOpenKeyExW, Type: IAT modification at address 0x00401020 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->RegQueryValueExW, Type: IAT modification at address 0x0040101C hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->TraceEvent, Type: IAT modification at address 0x00401000 hook handler located in [unknown_code_page]
[580]iexplore.exe-->advapi32.dll-->UnregisterTraceGuids, Type: IAT modification at address 0x00401010 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->CloseHandle, Type: IAT modification at address 0x00401050 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->CreateEventW, Type: IAT modification at address 0x004010A8 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->CreateFileMappingW, Type: IAT modification at address 0x004010E0 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->CreateFileW, Type: IAT modification at address 0x00401088 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->CreateMutexW, Type: IAT modification at address 0x0040109C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->CreateProcessW, Type: IAT modification at address 0x00401034 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->ExpandEnvironmentStringsW, Type: IAT modification at address 0x00401030 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->FindResourceExW, Type: IAT modification at address 0x004010EC hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->FindResourceW, Type: IAT modification at address 0x004010C8 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->FreeLibrary, Type: IAT modification at address 0x004010D8 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetCommandLineW, Type: IAT modification at address 0x00401028 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetCurrentDirectoryW, Type: IAT modification at address 0x0040105C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetCurrentProcess, Type: IAT modification at address 0x00401044 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetCurrentProcessId, Type: IAT modification at address 0x004010FC hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetCurrentThreadId, Type: IAT modification at address 0x00401100 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetFileTime, Type: IAT modification at address 0x00401090 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetLocaleInfoW, Type: IAT modification at address 0x004010DC hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetModuleFileNameW, Type: IAT modification at address 0x00401074 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetModuleHandleA, Type: IAT modification at address 0x0040110C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetModuleHandleW, Type: IAT modification at address 0x00401068 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification at address 0x0040106C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetStartupInfoW, Type: IAT modification at address 0x00401114 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetSystemDefaultLCID, Type: IAT modification at address 0x004010AC hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetSystemDefaultUILanguage, Type: IAT modification at address 0x004010D0 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetSystemTimeAsFileTime, Type: IAT modification at address 0x004010F8 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetTickCount, Type: IAT modification at address 0x00401104 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetUserDefaultLCID, Type: IAT modification at address 0x004010B0 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetUserDefaultUILanguage, Type: IAT modification at address 0x004010CC hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetVersionExW, Type: IAT modification at address 0x00401070 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->GetWindowsDirectoryW, Type: IAT modification at address 0x00401084 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->HeapSetInformation, Type: IAT modification at address 0x00401078 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->InitializeCriticalSection, Type: IAT modification at address 0x00401040 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->InitializeCriticalSectionAndSpinCount, Type: IAT modification at address 0x004010B4 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->InterlockedCompareExchange, Type: IAT modification at address 0x00401118 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->InterlockedExchange, Type: IAT modification at address 0x00401120 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->LoadLibraryA, Type: IAT modification at address 0x00401098 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->LoadLibraryExW, Type: IAT modification at address 0x004010E8 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->LoadLibraryW, Type: IAT modification at address 0x004010C0 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->LoadResource, Type: IAT modification at address 0x004010F0 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->LocalAlloc, Type: IAT modification at address 0x0040102C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->LocalFree, Type: IAT modification at address 0x00401038 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->lstrlenW, Type: IAT modification at address 0x0040103C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->MapViewOfFile, Type: IAT modification at address 0x004010E4 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->QueryPerformanceCounter, Type: IAT modification at address 0x00401108 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->RaiseException, Type: IAT modification at address 0x00401094 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->ReleaseMutex, Type: IAT modification at address 0x00401058 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->SearchPathW, Type: IAT modification at address 0x004010C4 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->SetDllDirectoryW, Type: IAT modification at address 0x0040108C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->SetErrorMode, Type: IAT modification at address 0x00401054 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->SetUnhandledExceptionFilter, Type: IAT modification at address 0x00401110 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->Sleep, Type: IAT modification at address 0x0040111C hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->TerminateProcess, Type: IAT modification at address 0x00401080 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->UnhandledExceptionFilter, Type: IAT modification at address 0x004010F4 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->UnmapViewOfFile, Type: IAT modification at address 0x004010D4 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->VerifyVersionInfoW, Type: IAT modification at address 0x00401064 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->WaitForSingleObject, Type: IAT modification at address 0x004010A0 hook handler located in [unknown_code_page]
[580]iexplore.exe-->kernel32.dll-->WaitForSingleObjectEx, Type: IAT modification at address 0x004010A4 hook handler located in [unknown_code_page]
[580]iexplore.exe-->ntdll.dll-->RtlUnwind, Type: IAT modification at address 0x004011BC hook handler located in [unknown_code_page]
[580]iexplore.exe-->shell32.dll-->CommandLineToArgvW, Type: IAT modification at address 0x00401210 hook handler located in [unknown_code_page]
[580]iexplore.exe-->user32.dll-->AllowSetForegroundWindow, Type: IAT modification at address 0x00401138 hook handler located in [unknown_code_page]
[580]iexplore.exe-->user32.dll-->CharNextW, Type: IAT modification at address 0x0040113C hook handler located in [unknown_code_page]
[580]iexplore.exe-->user32.dll-->GetThreadDesktop, Type: IAT modification at address 0x00401128 hook handler located in [unknown_code_page]
[580]iexplore.exe-->user32.dll-->GetUserObjectInformationW, Type: IAT modification at address 0x0040112C hook handler located in [unknown_code_page]
[580]iexplore.exe-->user32.dll-->LoadStringW, Type: IAT modification at address 0x00401134 hook handler located in [unknown_code_page]
[580]iexplore.exe-->user32.dll-->MessageBoxW, Type: IAT modification at address 0x00401130 hook handler located in [unknown_code_page]

1

You could try to find the name of that hidden driver; its presence may be concealed by the driver loading and executing some code as a system thread, and then removing itself; that way its details [name etc] cannot be read. I wonder....you could try to show it up - you can make a change in reg to show hidden drivers in Dev Mgr [remains until you reverse it], or a change to the environment inside a cmd shell [dies with the closing of that shell].
1)System Properties, paste in as an environment variable name:
devmngr_show_nonpresent_devices ; value of 1. [that adds it into Session Manager key in reg].
Or 2) In a cmd window enter:
set devmngr_show_nonpresent_devices=1 -then start Dev Mgr from inside that shell with..
devmgmt.msc
Inside Dev Mgr under View tab check Show hidden devices. Hidden [deliberately] or non-loaded [no device present on sys] drivers are shown greyed out. I doubt if it will reveal anything though.
When you find a suspect driver investigate it thoroughly - you don't want to delete a crypted firewall or SCSI driver.
You could delete C:\Qoobox and contents.

!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

This entry is a worry. And I don't know what to do about it. Do IceSword or RKRevealer show anything? You might try posting that piece plus the Hooks section and serf_conf log over at Sysinternals Malware board - it's where the RKU blokes hang out now.

Edited by gerbil: n/a

0

I'll give it a lash over at Sysinternals and see what they say.
I just want to say that I very much appreciate all the time you've put into this.

If this thread stays open I'll update it with anything useful that the Sysinternal boys come up with.

Thanks

1

Thing is, fin, I have no way to trap these things on your sys... memory management will not place the pages at the same physical addresses each time they run. The launching process is not evident.
!!!!!!!!!!!Hidden driver: 00000102
Loaded from:
Address: 0x86F2328A
Size: 3446 bytes

==============================================
>Stealth

Unknown page with executable code
Address: 0x86F243CC
Size: 3124

Unknown page with executable code
Address: 0x86F2328A
Size: 3446

Unknown page with executable code
Address: 0x86F29143
Size: 3773

Try downloading and running GMER again:
==Download gmer.zip from http://www.majorgeeks.com/GMER_d5198.html ...or the exe from http://www.gmer.net/download.php - it will have some obscure name.
-dclick on gmer.zip and unzip the file to its own folder or to your desktop.
-disconnect from the Internet and close all running programs.
-dclick the .exe to start it; wait for the intial scan to complete [a few seconds]. Press the Copy button, open Notepad and paste into it.
-Then, if you did NOT get a warning at startup about rootkit activity, uncheck all drives but your systemdrive in the drives section; click the Scan button and wait for the scan to finish (do not use your computer during the scan); again press the Copy button, paste also into that Notepad.
-please post that log.

1

And a couple of other things you could do.. GMER originally put up a blue screen error of PFN_LST_CORRUPT... now that would have been caused by a driver [the rootkit?] accessing the page frame list incorrectly or trying to lock its physical memory range so that it stayed resident [exactly what error occurred would be indicated by the parameters given with the error code]. Run Driver Verifier with these settings:
Go Start, Run, and enter:
verifier
Ensure 'Create Standard Setting' is selected, hit next;
Click on 'Automatically select all drivers installed on this computer' and hit Finish;
Reboot.
And chatting with PP, it might be an idea to try TDSSKiller because of the prevalence recently of that rootkit type:
==Download tdsskiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe -you may need to download it to a clean computer and then transfer it to the desktop using a USB flash drive.
Start TDSSKiller via this command, NOT the icon:
"%userprofile%\desktop\tdsskiller.exe" -l C:\tdssrpt.txt <==paste this into Start, Run...
- click Scan. If TDSSKiller finds a rootkit and prompts a Cure then press Continue [a reboot may be required]; press Continue also on Skip prompt. Do not delete or quarantine any files.
Post the log from C:\.

Edited by gerbil: n/a

0

Downloaded and ran gmer.

When It first ran I got the following (before I ran the scan)

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-08 07:40:28
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 SAMSUNG_HD160JJ/P rev.ZM100-34
Running: p6je6kh4.exe; Driver: C:\DOCUME~1\nuala\LOCALS~1\Temp\awddapod.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:124] 86F3053C
Thread System [4:128] 86F3252D

---- EOF - GMER 1.0.15 ----

_____________________________________________________________

I then initiated the scan and got the following:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-08 11:13:29
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 SAMSUNG_HD160JJ/P rev.ZM100-34
Running: p6je6kh4.exe; Driver: C:\DOCUME~1\nuala\LOCALS~1\Temp\awddapod.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat 9FEA8D20

---- Threads - GMER 1.0.15 ----

Thread System [4:124] 86F3053C
Thread System [4:128] 86F3252D

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{B4502AD1-AF97-EC66-7D66-304FFAC0F1DB}\Ole1Class@ ViewerFrameClass
Reg HKLM\SOFTWARE\Classes\CLSID\{B4502AD1-AF97-EC66-7D66-304FFAC0F1DB}\ProgID@ ViewerFrameClass

---- EOF - GMER 1.0.15 ----

I'm going to give verifier a go next

Thanks

1

Fin, could you wander into registry and delete those two CLSIDS manually, please?
You could export them to your desktop first, and post them, if you would.
Next do a search for all instances of {B4502AD1-AF97-EC66-7D66-304FFAC0F1DB}, export the subkeys and post them also? Tah.

0

I think we've cracked it.

Tdsskiller found something and on reboot the machine is behaving itself. No extra instances of iexplore.exe and no iexplore error messages so far.

Heres the tdss log file. The important bit is right at the end.

2011/02/08 11:29:56.0546 2280 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/08 11:29:58.0562 2280 ================================================================================
2011/02/08 11:29:58.0562 2280 SystemInfo:
2011/02/08 11:29:58.0562 2280
2011/02/08 11:29:58.0562 2280 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/08 11:29:58.0562 2280 Product type: Workstation
2011/02/08 11:29:58.0562 2280 ComputerName: D177MG2J
2011/02/08 11:29:58.0562 2280 UserName: nuala
2011/02/08 11:29:58.0562 2280 Windows directory: C:\WINDOWS
2011/02/08 11:29:58.0562 2280 System windows directory: C:\WINDOWS
2011/02/08 11:29:58.0562 2280 Processor architecture: Intel x86
2011/02/08 11:29:58.0562 2280 Number of processors: 2
2011/02/08 11:29:58.0562 2280 Page size: 0x1000
2011/02/08 11:29:58.0562 2280 Boot type: Normal boot
2011/02/08 11:29:58.0562 2280 ================================================================================
2011/02/08 11:29:59.0484 2280 Initialize success
2011/02/08 11:30:15.0031 0804 ================================================================================
2011/02/08 11:30:15.0031 0804 Scan started
2011/02/08 11:30:15.0031 0804 Mode: Manual;
2011/02/08 11:30:15.0031 0804 ================================================================================
2011/02/08 11:30:16.0093 0804 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/02/08 11:30:16.0187 0804 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/08 11:30:16.0265 0804 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/08 11:30:16.0359 0804 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/02/08 11:30:16.0453 0804 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/08 11:30:16.0546 0804 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/08 11:30:16.0734 0804 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/08 11:30:16.0843 0804 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/02/08 11:30:16.0921 0804 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/02/08 11:30:17.0000 0804 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/02/08 11:30:17.0078 0804 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/02/08 11:30:17.0156 0804 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/02/08 11:30:17.0218 0804 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/02/08 11:30:17.0265 0804 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/02/08 11:30:17.0312 0804 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/02/08 11:30:17.0390 0804 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/02/08 11:30:17.0437 0804 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/02/08 11:30:17.0468 0804 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/02/08 11:30:17.0562 0804 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/08 11:30:17.0640 0804 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/08 11:30:17.0765 0804 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/08 11:30:17.0843 0804 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/08 11:30:17.0890 0804 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/08 11:30:18.0000 0804 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/02/08 11:30:18.0078 0804 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/08 11:30:18.0140 0804 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/02/08 11:30:18.0187 0804 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/08 11:30:18.0218 0804 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/08 11:30:18.0343 0804 cdrbsdrv (248349293ca42ee5db61dc1fd85a2f49) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
2011/02/08 11:30:18.0765 0804 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/08 11:30:19.0140 0804 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/02/08 11:30:19.0203 0804 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/02/08 11:30:19.0296 0804 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/02/08 11:30:19.0343 0804 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/02/08 11:30:19.0406 0804 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/08 11:30:19.0484 0804 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/08 11:30:19.0562 0804 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/08 11:30:19.0609 0804 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/08 11:30:19.0671 0804 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/08 11:30:19.0734 0804 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/02/08 11:30:19.0765 0804 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/08 11:30:19.0859 0804 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
2011/02/08 11:30:19.0921 0804 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/08 11:30:20.0000 0804 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/08 11:30:20.0078 0804 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/08 11:30:20.0140 0804 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/08 11:30:20.0187 0804 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/08 11:30:20.0234 0804 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/08 11:30:20.0312 0804 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\WINDOWS\system32\FsUsbExDisk.SYS
2011/02/08 11:30:20.0390 0804 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/08 11:30:20.0437 0804 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/08 11:30:20.0500 0804 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/08 11:30:20.0656 0804 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/08 11:30:20.0718 0804 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/08 11:30:20.0765 0804 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/08 11:30:20.0843 0804 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/02/08 11:30:20.0906 0804 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/02/08 11:30:20.0984 0804 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/02/08 11:30:21.0078 0804 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/08 11:30:21.0140 0804 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/08 11:30:21.0187 0804 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/02/08 11:30:21.0234 0804 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/08 11:30:21.0312 0804 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/08 11:30:21.0421 0804 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/08 11:30:21.0500 0804 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/02/08 11:30:21.0546 0804 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/08 11:30:21.0640 0804 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/08 11:30:21.0687 0804 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/08 11:30:21.0750 0804 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/08 11:30:21.0796 0804 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/08 11:30:21.0875 0804 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/08 11:30:21.0921 0804 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/08 11:30:21.0984 0804 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/08 11:30:22.0031 0804 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/08 11:30:22.0093 0804 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/08 11:30:22.0125 0804 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/08 11:30:22.0187 0804 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/08 11:30:22.0250 0804 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/08 11:30:22.0375 0804 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/02/08 11:30:22.0437 0804 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/02/08 11:30:22.0484 0804 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/02/08 11:30:22.0531 0804 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/02/08 11:30:22.0578 0804 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/08 11:30:22.0640 0804 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/08 11:30:22.0687 0804 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/08 11:30:22.0734 0804 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/08 11:30:22.0812 0804 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/08 11:30:22.0843 0804 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/08 11:30:22.0921 0804 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/02/08 11:30:22.0968 0804 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/08 11:30:23.0062 0804 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/08 11:30:23.0109 0804 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/08 11:30:23.0187 0804 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/08 11:30:23.0234 0804 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/08 11:30:23.0265 0804 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/08 11:30:23.0312 0804 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/08 11:30:23.0359 0804 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/08 11:30:23.0421 0804 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/08 11:30:23.0468 0804 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/08 11:30:23.0515 0804 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/08 11:30:23.0562 0804 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/08 11:30:23.0609 0804 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/08 11:30:23.0671 0804 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/08 11:30:23.0750 0804 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/08 11:30:23.0906 0804 nmwcdc (3859c69a77793180548802dac9f34a38) C:\WINDOWS\system32\drivers\ccdcmbo.sys
2011/02/08 11:30:23.0953 0804 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/08 11:30:24.0015 0804 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/08 11:30:24.0093 0804 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/08 11:30:24.0187 0804 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/02/08 11:30:24.0312 0804 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/08 11:30:24.0375 0804 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/08 11:30:24.0437 0804 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys
2011/02/08 11:30:24.0500 0804 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/08 11:30:24.0546 0804 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/08 11:30:24.0625 0804 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/08 11:30:24.0734 0804 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/02/08 11:30:24.0765 0804 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/08 11:30:24.0859 0804 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/08 11:30:24.0906 0804 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/08 11:30:25.0093 0804 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/02/08 11:30:25.0156 0804 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/02/08 11:30:25.0250 0804 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/08 11:30:25.0296 0804 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/08 11:30:25.0343 0804 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/08 11:30:25.0390 0804 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/08 11:30:25.0453 0804 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/02/08 11:30:25.0500 0804 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/02/08 11:30:25.0546 0804 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/02/08 11:30:25.0625 0804 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/02/08 11:30:25.0687 0804 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/02/08 11:30:25.0765 0804 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/08 11:30:25.0812 0804 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/08 11:30:25.0859 0804 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/08 11:30:25.0906 0804 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/08 11:30:25.0953 0804 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/08 11:30:26.0000 0804 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/08 11:30:26.0046 0804 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/08 11:30:26.0125 0804 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/08 11:30:26.0187 0804 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/08 11:30:26.0328 0804 rspSanity (bcbf88fabf84f0f76fd7b11df65921fa) C:\WINDOWS\system32\DRIVERS\rspSanity32.sys
2011/02/08 11:30:26.0421 0804 s616bus (ef4b5a8d53f15cb269469dd4e4bb0109) C:\WINDOWS\system32\DRIVERS\s616bus.sys
2011/02/08 11:30:26.0484 0804 s616mdfl (96187731eefcf83e844bc1ce6617aaeb) C:\WINDOWS\system32\DRIVERS\s616mdfl.sys
2011/02/08 11:30:26.0546 0804 s616mdm (d2dd87368bfecfa099e50dc120f3f513) C:\WINDOWS\system32\DRIVERS\s616mdm.sys
2011/02/08 11:30:26.0640 0804 s616mgmt (5f0be24e4d4fa134b0b2fef35d3a9d90) C:\WINDOWS\system32\DRIVERS\s616mgmt.sys
2011/02/08 11:30:26.0750 0804 s616nd5 (b9b507fcc67e204ef38e05ffd4176345) C:\WINDOWS\system32\DRIVERS\s616nd5.sys
2011/02/08 11:30:26.0812 0804 s616obex (f123a1f2a04a0e8dba80b64f0072475a) C:\WINDOWS\system32\DRIVERS\s616obex.sys
2011/02/08 11:30:26.0875 0804 s616unic (e7e55048ebd5c17bfa791b4a6ec3d54b) C:\WINDOWS\system32\DRIVERS\s616unic.sys
2011/02/08 11:30:26.0953 0804 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/08 11:30:27.0015 0804 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/08 11:30:27.0062 0804 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/08 11:30:27.0140 0804 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/08 11:30:27.0234 0804 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/02/08 11:30:27.0296 0804 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/02/08 11:30:27.0359 0804 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/08 11:30:27.0421 0804 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/08 11:30:27.0500 0804 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/08 11:30:27.0578 0804 ss_bbus (7d5d8db6196e6b32277553dcd1648f2e) C:\WINDOWS\system32\DRIVERS\ss_bbus.sys
2011/02/08 11:30:27.0687 0804 ss_bmdfl (56e2f50d93012799d6fd0328c7e0d105) C:\WINDOWS\system32\DRIVERS\ss_bmdfl.sys
2011/02/08 11:30:27.0750 0804 ss_bmdm (578f256d5297be0ea0bbd8d5a3f500f9) C:\WINDOWS\system32\DRIVERS\ss_bmdm.sys
2011/02/08 11:30:27.0859 0804 STHDA (0aa91bbe468b3f46072091f18003ecaa) C:\WINDOWS\system32\drivers\sthda.sys
2011/02/08 11:30:27.0921 0804 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/08 11:30:27.0984 0804 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/08 11:30:28.0062 0804 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/02/08 11:30:28.0109 0804 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/02/08 11:30:28.0171 0804 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/02/08 11:30:28.0234 0804 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/02/08 11:30:28.0281 0804 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/08 11:30:28.0375 0804 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/08 11:30:28.0453 0804 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/08 11:30:28.0500 0804 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/08 11:30:28.0562 0804 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/08 11:30:28.0640 0804 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/02/08 11:30:28.0718 0804 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/08 11:30:28.0765 0804 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/02/08 11:30:28.0843 0804 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/08 11:30:28.0937 0804 upperdev (0ccadc7391021376edbb8aa649d04e68) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
2011/02/08 11:30:29.0062 0804 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/08 11:30:29.0125 0804 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/08 11:30:29.0171 0804 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/08 11:30:29.0234 0804 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/08 11:30:29.0296 0804 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/08 11:30:29.0359 0804 UsbserFilt (68b4f83cccf70a2ff32ee142c234332a) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
2011/02/08 11:30:29.0421 0804 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/08 11:30:29.0484 0804 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/08 11:30:29.0531 0804 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/02/08 11:30:29.0609 0804 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/08 11:30:29.0671 0804 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/02/08 11:30:29.0734 0804 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/08 11:30:29.0812 0804 VolSnap (7d6322d2567d94acf1e8c4b79ea1c880) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/08 11:30:29.0812 0804 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7d6322d2567d94acf1e8c4b79ea1c880, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/02/08 11:30:29.0812 0804 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/02/08 11:30:29.0890 0804 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/08 11:30:29.0968 0804 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/02/08 11:30:30.0078 0804 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/08 11:30:30.0156 0804 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/02/08 11:30:30.0296 0804 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/02/08 11:30:30.0343 0804 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/08 11:30:30.0390 0804 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/08 11:30:30.0453 0804 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/08 11:30:30.0546 0804 ================================================================================
2011/02/08 11:30:30.0546 0804 Scan finished
2011/02/08 11:30:30.0546 0804 ================================================================================
2011/02/08 11:30:30.0578 0964 Detected object count: 1
2011/02/08 11:31:21.0484 0964 VolSnap (7d6322d2567d94acf1e8c4b79ea1c880) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/08 11:31:21.0484 0964 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7d6322d2567d94acf1e8c4b79ea1c880, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/02/08 11:31:24.0421 0964 Backup copy found, using it..
2011/02/08 11:31:24.0484 0964 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/02/08 11:31:24.0484 0964 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/02/08 11:31:30.0765 2560 Deinitialize success

Edited by finmacul: n/a

0

Thanks Gerbil.

Verifier fell over during the reboot of tdsskiller with the following:

IO SYSTEM VERIFICATION ERROR in klmd.sys (WDM DRIVER ERROR 226)
[klmd.sys+9f74 at EBE20F74]

But on the next boot came up clean and so far so good.

I'll try get rid of those 2 CLSIDs anyway, although they wouldn't delete at the first attempt.

Just a BTW. When I ran rootkit revealer the other day, it created a logfile but the content was zero. Do't know what that was about.

Many thanks again for all you efforts. I was almost on the verge of a disk reformat.

:icon_biggrin:

0

Hi Gerbil again

Another BTW

Do you still want me to post those reg entries. When I open them in Notepad they are absolutely huge and are probably too big to post in one go?

0

Hi Gerbil. been busy while you were asleep.

I ran Combofix as you suggested one more time and it blue screens during the scan with the following:

IO SYSTEM VERIFICATION ERROR in catchme.sys (WDM DRIVER ERROR 20e)
[catchme.sys+2fb6 at F77A9FB6]

I think catchme.sys is part of combofix so I'm not sure that its a problem.

TA

1

First off, those reg keys. If, as I suspect, one or more of them contain a huge list of hexadecimal code as data entries then I think it is safe to delete them - malware can load that data into memory. They are not registered/conforming CLSIDs anyway, merely invented.
klmd.sys has been subverted by the TDSS rootkit family on other systems, so many systems that I cannot ascertain by search what is its function.. it is not on my XP-SP3 sys. For the time being, rename it to system32/drivers/0000klmd.sys.bak.
catchme is a part of combofix; combofix jamming is a cause for alarm, it is being targeted. Try updating malwarebytes and scanning with it, see if it can catch any newly exposed files, then attempt combofix again.
If a CLSID refuses to delete then rclick it, go Permissions and take control, then whack it.
"Many thanks again for all you efforts. I was almost on the verge of a disk reformat."... apart from that, it is always nice to wring the neck of some malware. Writers are pouring effort into it, a lot of money is involved now. And thanks to you for hanging on, for fighting; it is frustrating but understandable when some folks give up and reformat... we learn little from that, but there are some utterly destructive viruses that leave no option - their aim is malicious damage, the aim of this stuff is theft and control.
Mind-boggling stuff:
0x20E Non-fatal A PNP IRP has an invalid status. (Any PNP IRP must have its status initialized to STATUS_NOT_SUPPORTED.) (IRP specified.)
0x226 Fatal An IRP dispatch handler has returned without passing down or completing this IRP, or someone forgot to return STATUS_PENDING (IRP specified.)

Edited by gerbil: n/a

0

Hi All, especially Gerbil. It looks like we can chalk this one up. PC is clean as a whistle and working normally. Thanks to all who contributed to this thread.
:icon_cheesygrin:

Edited by finmacul: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.