Please help me get rid of this Rootkit!
Started by
akwit
, Nov 17 2011 06:07 PM
-
This topic is locked
#16
Posted 21 November 2011 - 01:49 PM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
#17
Posted 21 November 2011 - 02:12 PM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
If you can leave it over night. It's the best way. It takes some time to finish.
I think I am going to have to restart the scan later tonight.
Its completely sapping all of my power and I need to use my computer for work.
Also, it keeps sending me notifications on what to do with various threats (to "skip" or "delete").
What should i be doing with these?
And...the whole thing just froze on me a couple of minutes ago when I clicked on "skip" and now the program isnt responding.
Shoot me please and take me out of my misery.
#18
Posted 21 November 2011 - 02:17 PM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
I would like you to do this scan. You don't have to do it tonight. You can start it tomorrow.
Please delete all malware VRT found. That way we wont have any leftovers on your system.
I won't shoot you now....leaving it for later
Please delete all malware VRT found. That way we wont have any leftovers on your system.
I won't shoot you now....leaving it for later
#19
Posted 21 November 2011 - 02:26 PM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
So you want me to delete even when it "recommends" that I skip?
Just making sure...
Just making sure...
#20
Posted 21 November 2011 - 03:17 PM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
If it recommends Skip then skip it. To short it do what VRT suggests. I'll see all this in log and tell you what we'll do after the scan.
#21
Posted 21 November 2011 - 03:22 PM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
Will do.
You know whats amazing about this Virus? It keeps starting Internet Explorer but doesnt actually open up an IE windows.
I now go into my Task Mgr every hour or so to end the IE process (which if left unattended begins to use more and more memory over time...)
You know whats amazing about this Virus? It keeps starting Internet Explorer but doesnt actually open up an IE windows.
I now go into my Task Mgr every hour or so to end the IE process (which if left unattended begins to use more and more memory over time...)
#22
Posted 21 November 2011 - 11:56 PM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
If it recommends Skip then skip it. To short it do what VRT suggests. I'll see all this in log and tell you what we'll do after the scan.
Maliprog-things are not going well.
It seems the longer I let my computer run, the worse things get.
I let Kaspersky run for almost 6 hours and then I started getting all these fake virus messages and then one screen came up with my passwords to websites on it!!! And it said if i didnt clcik yes, the virus was going to send these passwords out! What the...!
Also, it was preventing me from opening my Task Manager, it will (presently) NOT let me turn on my firewall and it seems to be playing with desktop ICONS. I swear, it feels like my computer is possessed. I kept getting these requests from my computer to allow "iexplore.exe" to run and, I keep noticing that Internet Explorer keep opening in my Task Mgr even though I never open it.
I found out where this thing was located (in appdata/roaming)-there all sorts of wacky titled folders in this folder. So i ran a bunch of diff anti-virus programs to just scan this folder and Malwarebytes found a slew of trojans and other crap. I removed it all and things seemed to have calmed down a bit, but I doubt I have gotten rid of the root.
So, I tried running Kaspersky again and it shut down my computer in the middle of the scan!
I am also still getting redirected.
Is there anything else we can do other than running this 24 hour scan?
Im sorry this has been such a tedious war but I am desperate for some help here...
Thanks again.
EDIT-one last thing, sometimes my CPU will just run up to 90%+ usage so I check the Task Mgr and I see "TCP/IP PING.exe" there, so I end the process. Sometimes it wont let me end it; it says that my access is denied.
Edited by akwit, 21 November 2011 - 11:59 PM.
#23
Posted 22 November 2011 - 12:16 AM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
OK. Leave VRT for now. Let's check something.
Do the following:
Please adjust columns so I can see as much as possible informations in there.
To do print screen follow these steps:
Do the following:
- Click on the Start button and then choose Control Panel.
- Click on the System and Security link.
Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4. - In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
- In the Administrative Tools window, double-click on the Computer Management icon.
- When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.
Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.
Please adjust columns so I can see as much as possible informations in there.
To do print screen follow these steps:
- Press Alt and Print Screen button on your keyboard
- Open Paint program
- From the menu choose Edit then Paste
- Now save the picture and attach it here for me.
#24
Posted 22 November 2011 - 09:46 AM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
Here you go.
By the way, I tried running VRT again last night and I think it went for about 4 hours but when I woke up this morning and checked, my computer had shut down again.
There is an alert saying "windows has recovered from an unexpected shutdown".
Also, there are about 5 User Account Control boxes in my tray (whihc you can see on the attachment) all from VRT asking me if I want to allow it to make changes to my computer. Finally there are an equal amount of "uninst" boxes to the left of them.
EDIT: so I opened one of the VRT requests on the bottom and it found a bunch of Trojans and one HEUS Virus (which I think it found in Symantec's quarantine) but it also said that it had to close unexpectedly. So I deletd the Trojans and Quarantines the Virus (recommended ) and I saved the reports it made and pasted them below:
Finally, this PING virus is what killing my CPU. If I leave it unattended it will ultimately use up 100% of my cpue. I think im on a botnet and I am guessing they have access to my computer since my Firewall is down?
VRT Report 1:
Status: Deleted (events: 8)
11/22/2011 1:47:43 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{58F87597-8D47-EFE7-CE29-88FA98D4F10E}-B9FA9.exe High
11/22/2011 1:47:43 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{58F87597-8D47-EFE7-CE29-88FA98D4F10E}-B9FA9.exe//PE-Crypt.XorPE High
11/22/2011 1:47:44 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.sca C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{5CF90356-50A7-4B7A-8FAA-18EAF9149EB1}-lvvm.exe High
11/22/2011 1:47:44 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.sca C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{5CF90356-50A7-4B7A-8FAA-18EAF9149EB1}-lvvm.exe//PE-Crypt.XorPE High
11/22/2011 10:54:02 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.saz C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{9885B352-629E-E6A6-F324-E4B9DD364BE9}-4E8.exe//PE-Crypt.XorPE High
11/22/2011 10:54:19 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{CE3DFC74-8418-7640-FE37-BDC9D2A46A20}-B9FA9.exe//PE-Crypt.XorPE High
11/22/2011 10:54:02 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.saz C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{9885B352-629E-E6A6-F324-E4B9DD364BE9}-4E8.exe High
11/22/2011 10:54:19 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{CE3DFC74-8418-7640-FE37-BDC9D2A46A20}-B9FA9.exe High
Status: Absent (events: 1)
11/22/2011 10:54:19 AM Not found Trojan program Trojan.Win32.Jorik.Gbot.sca C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{1F40C597-FE46-14A1-12E6-115353D6BF93}-lvvm.exe//PE-Crypt.XorPE High
VRT Report 2:
Status: Quarantined (events: 1)
11/21/2011 11:09:21 PM Quarantined unknown threat UDS:DangerousObject.Multi.Generic C:\Users\Avi\AppData\Roaming\Microsoft\A9E4\4E8.exe High
Status: Detected (events: 1)
11/22/2011 12:19:34 AM Detected virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine\0DEC0000\4FEEFCB3.VBN//CryptZ High
By the way, I tried running VRT again last night and I think it went for about 4 hours but when I woke up this morning and checked, my computer had shut down again.
There is an alert saying "windows has recovered from an unexpected shutdown".
Also, there are about 5 User Account Control boxes in my tray (whihc you can see on the attachment) all from VRT asking me if I want to allow it to make changes to my computer. Finally there are an equal amount of "uninst" boxes to the left of them.
EDIT: so I opened one of the VRT requests on the bottom and it found a bunch of Trojans and one HEUS Virus (which I think it found in Symantec's quarantine) but it also said that it had to close unexpectedly. So I deletd the Trojans and Quarantines the Virus (recommended ) and I saved the reports it made and pasted them below:
Finally, this PING virus is what killing my CPU. If I leave it unattended it will ultimately use up 100% of my cpue. I think im on a botnet and I am guessing they have access to my computer since my Firewall is down?
VRT Report 1:
Status: Deleted (events: 8)
11/22/2011 1:47:43 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{58F87597-8D47-EFE7-CE29-88FA98D4F10E}-B9FA9.exe High
11/22/2011 1:47:43 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{58F87597-8D47-EFE7-CE29-88FA98D4F10E}-B9FA9.exe//PE-Crypt.XorPE High
11/22/2011 1:47:44 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.sca C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{5CF90356-50A7-4B7A-8FAA-18EAF9149EB1}-lvvm.exe High
11/22/2011 1:47:44 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.sca C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{5CF90356-50A7-4B7A-8FAA-18EAF9149EB1}-lvvm.exe//PE-Crypt.XorPE High
11/22/2011 10:54:02 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.saz C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{9885B352-629E-E6A6-F324-E4B9DD364BE9}-4E8.exe//PE-Crypt.XorPE High
11/22/2011 10:54:19 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{CE3DFC74-8418-7640-FE37-BDC9D2A46A20}-B9FA9.exe//PE-Crypt.XorPE High
11/22/2011 10:54:02 AM Deleted Trojan program Trojan.Win32.Jorik.Gbot.saz C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{9885B352-629E-E6A6-F324-E4B9DD364BE9}-4E8.exe High
11/22/2011 10:54:19 AM Deleted Trojan program Trojan-FakeAV.Win32.OpenCloud.ap C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{CE3DFC74-8418-7640-FE37-BDC9D2A46A20}-B9FA9.exe High
Status: Absent (events: 1)
11/22/2011 10:54:19 AM Not found Trojan program Trojan.Win32.Jorik.Gbot.sca C:\Documents and Settings\All Users\Microsoft\Windows Defender\LocalCopy\{1F40C597-FE46-14A1-12E6-115353D6BF93}-lvvm.exe//PE-Crypt.XorPE High
VRT Report 2:
Status: Quarantined (events: 1)
11/21/2011 11:09:21 PM Quarantined unknown threat UDS:DangerousObject.Multi.Generic C:\Users\Avi\AppData\Roaming\Microsoft\A9E4\4E8.exe High
Status: Detected (events: 1)
11/22/2011 12:19:34 AM Detected virus HEUR:Trojan.Win32.Generic C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine\0DEC0000\4FEEFCB3.VBN//CryptZ High
Attached Thumbnails
Edited by akwit, 22 November 2011 - 10:27 AM.
#25
Posted 22 November 2011 - 10:47 AM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
Can you do MBRCheck scan as I described before and post that log.
#26
Posted 22 November 2011 - 11:03 AM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
Can you do MBRCheck scan as I described before and post that log.
It wont let me open it.
I tried renaming it and changing the file extension; no luck.
Should I try in Safe Mode?
#27
Posted 22 November 2011 - 11:08 AM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
Let's try Safe mode. If you manage to run it post log here for me. Also try to run aswMBR in safe mode.
#28
Posted 22 November 2011 - 11:15 AM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
MBRcheck worked in regular mode. Infection was found: (Ill run the other one now in Safe and get back to you).
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows 7 Enterprise Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Latitude E6400
Logical Drives Mask: 0x0000001c
Kernel Drivers (total 240):
0x83444000 \SystemRoot\system32\ntkrnlpa.exe
0x8340D000 \SystemRoot\system32\halmacpi.dll
0x80BD3000 \SystemRoot\system32\kdcom.dll
0x83A04000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83A89000 \SystemRoot\system32\PSHED.dll
0x83A9A000 \SystemRoot\system32\BOOTVID.dll
0x83AA2000 \SystemRoot\system32\CLFS.SYS
0x83AE4000 \SystemRoot\system32\CI.dll
0x8E617000 \SystemRoot\system32\DRIVERS\54352532.sys
0x8EB39000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8EBAA000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83D05000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x83D0E000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x83D34000 \SystemRoot\system32\drivers\ACPI.sys
0x83D7C000 \SystemRoot\system32\drivers\msisadrv.sys
0x83D84000 \SystemRoot\system32\drivers\vdrvroot.sys
0x83D8F000 \SystemRoot\system32\drivers\pci.sys
0x83DB9000 \SystemRoot\System32\drivers\partmgr.sys
0x83DCA000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x83DD2000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x83DDD000 \SystemRoot\system32\drivers\volmgr.sys
0x83B8F000 \SystemRoot\System32\drivers\volmgrx.sys
0x83C00000 \SystemRoot\System32\drivers\mountmgr.sys
0x8EBB8000 \SystemRoot\system32\drivers\vmbus.sys
0x83DED000 \SystemRoot\system32\drivers\winhv.sys
0x83E3B000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x83FF0000 \SystemRoot\system32\drivers\atapi.sys
0x83E00000 \SystemRoot\system32\drivers\ataport.SYS
0x83E23000 \SystemRoot\system32\drivers\msahci.sys
0x83E2D000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8EBE2000 \SystemRoot\system32\drivers\amdxata.sys
0x84A0B000 \SystemRoot\system32\drivers\fltmgr.sys
0x84A3F000 \SystemRoot\system32\drivers\fileinfo.sys
0x84A50000 \SystemRoot\System32\Drivers\Ntfs.sys
0x84B7F000 \SystemRoot\System32\Drivers\msrpc.sys
0x84BAA000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8EC31000 \SystemRoot\System32\Drivers\cng.sys
0x8EC8E000 \SystemRoot\System32\drivers\pcw.sys
0x8EC9C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8ECA5000 \SystemRoot\system32\drivers\ndis.sys
0x8ED5C000 \SystemRoot\system32\drivers\NETIO.SYS
0x8ED9A000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8EE0D000 \SystemRoot\System32\drivers\tcpip.sys
0x8EF57000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8EF88000 \SystemRoot\system32\drivers\vmstorfl.sys
0x8EF91000 \SystemRoot\system32\drivers\volsnap.sys
0x8EFD0000 \SystemRoot\System32\Drivers\spldr.sys
0x8EDBF000 \SystemRoot\System32\drivers\rdyboost.sys
0x8EFD8000 \SystemRoot\system32\DRIVERS\PBADRV.sys
0x8EFE3000 \SystemRoot\System32\Drivers\mup.sys
0x8EFF3000 \SystemRoot\System32\drivers\hwpolicy.sys
0x84BBD000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8EDEC000 \SystemRoot\system32\DRIVERS\disk.sys
0x8EC00000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8F02F000 \SystemRoot\system32\DRIVERS\89707509.sys
0x8F60B000 \SystemRoot\system32\DRIVERS\73486241.sys
0x8FC1A000 \SystemRoot\system32\DRIVERS\60143796.sys
0x90149000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0x94FCE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x90186000 \SystemRoot\System32\Drivers\SRTSP.SYS
0x99034000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20111121.020\NAVEX15.SYS
0x991B4000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x991D9000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20111121.020\NAVENG.SYS
0x991ED000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0x991F7000 \SystemRoot\System32\Drivers\Null.SYS
0x99000000 \SystemRoot\System32\Drivers\Beep.SYS
0x99007000 \SystemRoot\System32\drivers\vga.sys
0x99013000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x94FED000 \SystemRoot\System32\drivers\watchdog.sys
0x94E00000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x901D0000 \SystemRoot\system32\drivers\rdpencdd.sys
0x901D8000 \SystemRoot\system32\drivers\rdprefmp.sys
0x901E0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x901EB000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8FC00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8FB2D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8FB39000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x8FB67000 \SystemRoot\system32\drivers\afd.sys
0x8FBC1000 \SystemRoot\System32\DRIVERS\netbt.sys
0x901F9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8F551000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F570000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8F581000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F5A9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F5BC000 \SystemRoot\system32\drivers\termdd.sys
0x83C16000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0x8F5CD000 \??\C:\Users\Avi\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS
0x94FFA000 \??\C:\Users\Avi\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS
0x83C80000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FBF3000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F600000 \SystemRoot\system32\drivers\mssmbios.sys
0x8F5EF000 \??\C:\Windows\system32\drivers\fanio.sys
0xA3C0A000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA3C68000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA3C86000 \SystemRoot\System32\drivers\discache.sys
0xA3C92000 \SystemRoot\system32\drivers\csc.sys
0xA3D0F000 \SystemRoot\System32\Drivers\dfsc.sys
0xA3D27000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0xA3D35000 \SystemRoot\system32\DRIVERS\tunnel.sys
0xA4A0C000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0xA532C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0xA3D56000 \SystemRoot\System32\drivers\dxgmms1.sys
0xA3D8F000 \SystemRoot\system32\DRIVERS\e1y6232.sys
0xA53E3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xA5425000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xA5470000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xA547F000 \SystemRoot\system32\drivers\HDAudBus.sys
0xA5624000 \SystemRoot\system32\DRIVERS\NETwNs32.sys
0xA5CF1000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0xA5CFB000 \SystemRoot\system32\drivers\1394ohci.sys
0xA5D28000 \SystemRoot\system32\drivers\sdbus.sys
0xA5D41000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xA5D49000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xA5D61000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xA5DAA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xA5DB7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xA5DCE000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xA5DD4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xA5DD8000 \SystemRoot\system32\drivers\wmiacpi.sys
0xA5DE1000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xA5DF3000 \SystemRoot\system32\drivers\CompositeBus.sys
0xA5600000 \SystemRoot\System32\Drivers\RootMdm.sys
0xA5608000 \SystemRoot\system32\drivers\modem.sys
0xA549E000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0xA54B0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xA5615000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xA54C8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xA54EA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xA5502000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xA5519000 \SystemRoot\system32\DRIVERS\rassstp.sys
0xA5530000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xA5537000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0xA5620000 \SystemRoot\system32\drivers\swenum.sys
0xA5541000 \SystemRoot\system32\drivers\ks.sys
0xA5575000 \SystemRoot\system32\drivers\umbus.sys
0xA5583000 \SystemRoot\system32\DRIVERS\bpenum.sys
0xA55B6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x82A0C000 \SystemRoot\system32\drivers\HdAudio.sys
0x82A5C000 \SystemRoot\system32\drivers\portcls.sys
0x82A8B000 \SystemRoot\system32\drivers\drmk.sys
0x82AA4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x82D40000 \SystemRoot\System32\win32k.sys
0x82AB5000 \SystemRoot\System32\drivers\Dxapi.sys
0x82ABF000 \SystemRoot\System32\Drivers\crashdmp.sys
0x94E08000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x82ACC000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x82ADD000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x82AF4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x82AF6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x82B01000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x82B14000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x82B1B000 \SystemRoot\System32\Drivers\LEqdUsb.Sys
0x82B24000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x82B30000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x82B3B000 \SystemRoot\System32\Drivers\LHidEqd.Sys
0x82B3C000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x82B44000 \SystemRoot\System32\Drivers\bpusb.sys
0x82B59000 \SystemRoot\system32\DRIVERS\monitor.sys
0x82FA0000 \SystemRoot\System32\TSDDD.dll
0x82FD0000 \SystemRoot\System32\cdd.dll
0x82B64000 \SystemRoot\system32\DRIVERS\bpmp.sys
0x82B8C000 \SystemRoot\System32\Drivers\cvusbdrv.sys
0x82B98000 \SystemRoot\system32\DRIVERS\OA001Vid.sys
0x82BDC000 \SystemRoot\system32\DRIVERS\OA001Ufd.sys
0x82C00000 \SystemRoot\System32\ATMFD.DLL
0xA5400000 \SystemRoot\system32\drivers\luafv.sys
0xA3DC9000 \SystemRoot\system32\drivers\WudfPf.sys
0xA53EE000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x82A00000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA3DE3000 \SystemRoot\system32\drivers\usbaudio.sys
0xA5DC4000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xA541B000 \SystemRoot\system32\drivers\WinUSB.sys
0x8F000000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA4A00000 \SystemRoot\System32\DRIVERS\scfilter.sys
0xA3DF7000 \SystemRoot\system32\DRIVERS\acpials.sys
0x94FBD000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xAE41E000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xAE464000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE474000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xAE47E000 \SystemRoot\system32\DRIVERS\purendis.sys
0xAE488000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAE49B000 \SystemRoot\system32\drivers\HTTP.sys
0xAE520000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAE54B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAE56E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAE5A9000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xC5C13000 \SystemRoot\system32\drivers\peauth.sys
0xC5CAA000 \SystemRoot\System32\Drivers\secdrv.SYS
0xC5CB4000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xC5CD5000 \??\C:\Windows\system32\Drivers\SSPORT.sys
0xC5CDC000 \SystemRoot\System32\drivers\tcpipreg.sys
0xC5CE9000 \SystemRoot\system32\WinFLdrv.sys
0xC5CF1000 \SystemRoot\System32\DRIVERS\srv2.sys
0xC5D41000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0xC5D4A000 \SystemRoot\System32\DRIVERS\srv.sys
0xC5D9C000 \??\C:\Program Files\ThrottleStop\WinRing0.sys
0xD0677000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xD0680000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xD06F0000 \SystemRoot\system32\DRIVERS\4856140drv.sys
0xF1C23000 \SystemRoot\system32\DRIVERS\85758208.sys
0xF2145000 \SystemRoot\system32\DRIVERS\8429222drv.sys
0x76F20000 \Windows\System32\ntdll.dll
0x47720000 \Windows\System32\smss.exe
0x77160000 \Windows\System32\apisetschema.dll
0x00770000 \Windows\System32\autochk.exe
0x77110000 \Windows\System32\ws2_32.dll
0x77060000 \Windows\System32\msvcrt.dll
0x76EF0000 \Windows\System32\imagehlp.dll
0x76EE0000 \Windows\System32\nsi.dll
0x76DC0000 \Windows\System32\wininet.dll
0x76D70000 \Windows\System32\gdi32.dll
0x76D20000 \Windows\System32\Wldap32.dll
0x76C40000 \Windows\System32\kernel32.dll
0x76BB0000 \Windows\System32\clbcatq.dll
0x76B90000 \Windows\System32\sechost.dll
0x76AC0000 \Windows\System32\msctf.dll
0x76A40000 \Windows\System32\comdlg32.dll
0x768E0000 \Windows\System32\ole32.dll
0x76740000 \Windows\System32\setupapi.dll
0x766E0000 \Windows\System32\difxapi.dll
0x765D0000 \Windows\System32\urlmon.dll
0x76520000 \Windows\System32\rpcrt4.dll
0x76510000 \Windows\System32\normaliz.dll
0x76470000 \Windows\System32\advapi32.dll
0x76460000 \Windows\System32\lpk.dll
0x75810000 \Windows\System32\shell32.dll
0x757B0000 \Windows\System32\shlwapi.dll
0x755F0000 \Windows\System32\iertutil.dll
0x755E0000 \Windows\System32\psapi.dll
0x755C0000 \Windows\System32\imm32.dll
0x754F0000 \Windows\System32\user32.dll
0x75460000 \Windows\System32\oleaut32.dll
0x753C0000 \Windows\System32\usp10.dll
0x752A0000 \Windows\System32\crypt32.dll
0x75270000 \Windows\System32\cfgmgr32.dll
0x75220000 \Windows\System32\KernelBase.dll
0x75190000 \Windows\System32\comctl32.dll
0x75170000 \Windows\System32\devobj.dll
0x75140000 \Windows\System32\wintrust.dll
0x75130000 \Windows\System32\msasn1.dll
Processes (total 95):
0 System Idle Process
4 System
328 C:\Windows\System32\smss.exe
432 csrss.exe
484 csrss.exe
492 C:\Windows\System32\wininit.exe
544 C:\Windows\System32\services.exe
584 C:\Windows\System32\lsass.exe
596 C:\Windows\System32\lsm.exe
604 C:\Windows\System32\winlogon.exe
720 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\nvvsvc.exe
816 C:\Windows\System32\svchost.exe
868 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1264 C:\Windows\System32\nvvsvc.exe
1296 WUDFHost.exe
1340 WUDFHost.exe
1392 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1492 C:\Windows\System32\svchost.exe
1612 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1620 C:\Windows\System32\wlanext.exe
1632 C:\Windows\System32\conhost.exe
1956 C:\Windows\System32\spoolsv.exe
2004 C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
2028 C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
360 C:\Windows\System32\svchost.exe
532 C:\Windows\System32\svchost.exe
384 C:\Windows\System32\taskeng.exe
1076 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1484 C:\Program Files\ThrottleStop\ThrottleStop.exe
1548 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2044 C:\Program Files\Bonjour\mDNSResponder.exe
2068 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
2168 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
2252 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
2296 C:\Windows\System32\java.exe
2304 C:\Windows\System32\conhost.exe
2388 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
2476 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
2592 C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
2744 WmiPrvSE.exe
2852 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
2892 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
3032 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
3312 unsecapp.exe
256 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
3916 C:\Windows\System32\svchost.exe
656 C:\Windows\System32\SearchIndexer.exe
3868 C:\Windows\System32\taskhost.exe
1856 C:\Windows\System32\dwm.exe
728 C:\Windows\explorer.exe
508 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
4248 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
4256 C:\Program Files\DellTPad\Apoint.exe
4296 C:\Windows\System32\rundll32.exe
4304 C:\Program Files\Logitech\SetPointP\SetPoint.exe
4320 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
4328 C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
4464 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
4532 C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
4548 C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
4720 C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
4980 C:\Program Files\iTunes\iTunesHelper.exe
5084 C:\Windows\System32\hkcmd.exe
5100 C:\Windows\System32\igfxpers.exe
5128 C:\Program Files\Windows Sidebar\sidebar.exe
5184 C:\Program Files\I8kfanGUI\I8kfanGUI.exe
5224 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
5316 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
5356 C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
5720 C:\Program Files\DellTPad\ApMsgFwd.exe
5756 C:\Program Files\DellTPad\hidfind.exe
5768 C:\Program Files\DellTPad\ApntEx.exe
5784 C:\Windows\System32\conhost.exe
5852 C:\Program Files\iPod\bin\iPodService.exe
5048 C:\Windows\System32\wuauclt.exe
4360 C:\Program Files\Mozilla Firefox\firefox.exe
4652 C:\Program Files\Mozilla Firefox\plugin-container.exe
4600 C:\Windows\System32\svchost.exe
7632 C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
7608 C:\Windows\System32\taskmgr.exe
1208 C:\Windows\System32\svchost.exe
7092 C:\Windows\system\svchost.exe
7676 C:\Program Files\Internet Explorer\iexplore.exe
2860 C:\Windows\System32\SearchProtocolHost.exe
6972 C:\Windows\System32\SearchFilterHost.exe
5140 C:\Windows\System32\SearchProtocolHost.exe
3600 C:\Windows\System32\audiodg.exe
2972 dllhost.exe
6592 dllhost.exe
7288 C:\Users\Avi\Desktop\MBRCheck.exe
6828 C:\Windows\System32\conhost.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
PhysicalDrive0 Model Number: WDCWD5000BEVT-00ZAT0, Rev: 01.01A01
Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
MBRCheck, version 1.2.3
© 2010, AD
Command-line:
Windows Version: Windows 7 Enterprise Edition
Windows Information: Service Pack 1 (build 7601), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Latitude E6400
Logical Drives Mask: 0x0000001c
Kernel Drivers (total 240):
0x83444000 \SystemRoot\system32\ntkrnlpa.exe
0x8340D000 \SystemRoot\system32\halmacpi.dll
0x80BD3000 \SystemRoot\system32\kdcom.dll
0x83A04000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x83A89000 \SystemRoot\system32\PSHED.dll
0x83A9A000 \SystemRoot\system32\BOOTVID.dll
0x83AA2000 \SystemRoot\system32\CLFS.SYS
0x83AE4000 \SystemRoot\system32\CI.dll
0x8E617000 \SystemRoot\system32\DRIVERS\54352532.sys
0x8EB39000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8EBAA000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x83D05000 \SystemRoot\System32\Drivers\WMILIB.SYS
0x83D0E000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0x83D34000 \SystemRoot\system32\drivers\ACPI.sys
0x83D7C000 \SystemRoot\system32\drivers\msisadrv.sys
0x83D84000 \SystemRoot\system32\drivers\vdrvroot.sys
0x83D8F000 \SystemRoot\system32\drivers\pci.sys
0x83DB9000 \SystemRoot\System32\drivers\partmgr.sys
0x83DCA000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x83DD2000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x83DDD000 \SystemRoot\system32\drivers\volmgr.sys
0x83B8F000 \SystemRoot\System32\drivers\volmgrx.sys
0x83C00000 \SystemRoot\System32\drivers\mountmgr.sys
0x8EBB8000 \SystemRoot\system32\drivers\vmbus.sys
0x83DED000 \SystemRoot\system32\drivers\winhv.sys
0x83E3B000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x83FF0000 \SystemRoot\system32\drivers\atapi.sys
0x83E00000 \SystemRoot\system32\drivers\ataport.SYS
0x83E23000 \SystemRoot\system32\drivers\msahci.sys
0x83E2D000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x8EBE2000 \SystemRoot\system32\drivers\amdxata.sys
0x84A0B000 \SystemRoot\system32\drivers\fltmgr.sys
0x84A3F000 \SystemRoot\system32\drivers\fileinfo.sys
0x84A50000 \SystemRoot\System32\Drivers\Ntfs.sys
0x84B7F000 \SystemRoot\System32\Drivers\msrpc.sys
0x84BAA000 \SystemRoot\System32\Drivers\ksecdd.sys
0x8EC31000 \SystemRoot\System32\Drivers\cng.sys
0x8EC8E000 \SystemRoot\System32\drivers\pcw.sys
0x8EC9C000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x8ECA5000 \SystemRoot\system32\drivers\ndis.sys
0x8ED5C000 \SystemRoot\system32\drivers\NETIO.SYS
0x8ED9A000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x8EE0D000 \SystemRoot\System32\drivers\tcpip.sys
0x8EF57000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8EF88000 \SystemRoot\system32\drivers\vmstorfl.sys
0x8EF91000 \SystemRoot\system32\drivers\volsnap.sys
0x8EFD0000 \SystemRoot\System32\Drivers\spldr.sys
0x8EDBF000 \SystemRoot\System32\drivers\rdyboost.sys
0x8EFD8000 \SystemRoot\system32\DRIVERS\PBADRV.sys
0x8EFE3000 \SystemRoot\System32\Drivers\mup.sys
0x8EFF3000 \SystemRoot\System32\drivers\hwpolicy.sys
0x84BBD000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x8EDEC000 \SystemRoot\system32\DRIVERS\disk.sys
0x8EC00000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x8F02F000 \SystemRoot\system32\DRIVERS\89707509.sys
0x8F60B000 \SystemRoot\system32\DRIVERS\73486241.sys
0x8FC1A000 \SystemRoot\system32\DRIVERS\60143796.sys
0x90149000 \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
0x94FCE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x90186000 \SystemRoot\System32\Drivers\SRTSP.SYS
0x99034000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20111121.020\NAVEX15.SYS
0x991B4000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x991D9000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20111121.020\NAVENG.SYS
0x991ED000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0x991F7000 \SystemRoot\System32\Drivers\Null.SYS
0x99000000 \SystemRoot\System32\Drivers\Beep.SYS
0x99007000 \SystemRoot\System32\drivers\vga.sys
0x99013000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x94FED000 \SystemRoot\System32\drivers\watchdog.sys
0x94E00000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x901D0000 \SystemRoot\system32\drivers\rdpencdd.sys
0x901D8000 \SystemRoot\system32\drivers\rdprefmp.sys
0x901E0000 \SystemRoot\System32\Drivers\Msfs.SYS
0x901EB000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8FC00000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8FB2D000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8FB39000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x8FB67000 \SystemRoot\system32\drivers\afd.sys
0x8FBC1000 \SystemRoot\System32\DRIVERS\netbt.sys
0x901F9000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x8F551000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8F570000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x8F581000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8F5A9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8F5BC000 \SystemRoot\system32\drivers\termdd.sys
0x83C16000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0x8F5CD000 \??\C:\Users\Avi\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL.SYS
0x94FFA000 \??\C:\Users\Avi\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV.SYS
0x83C80000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8FBF3000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8F600000 \SystemRoot\system32\drivers\mssmbios.sys
0x8F5EF000 \??\C:\Windows\system32\drivers\fanio.sys
0xA3C0A000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA3C68000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xA3C86000 \SystemRoot\System32\drivers\discache.sys
0xA3C92000 \SystemRoot\system32\drivers\csc.sys
0xA3D0F000 \SystemRoot\System32\Drivers\dfsc.sys
0xA3D27000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0xA3D35000 \SystemRoot\system32\DRIVERS\tunnel.sys
0xA4A0C000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0xA532C000 \SystemRoot\System32\drivers\dxgkrnl.sys
0xA3D56000 \SystemRoot\System32\drivers\dxgmms1.sys
0xA3D8F000 \SystemRoot\system32\DRIVERS\e1y6232.sys
0xA53E3000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xA5425000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xA5470000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xA547F000 \SystemRoot\system32\drivers\HDAudBus.sys
0xA5624000 \SystemRoot\system32\DRIVERS\NETwNs32.sys
0xA5CF1000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0xA5CFB000 \SystemRoot\system32\drivers\1394ohci.sys
0xA5D28000 \SystemRoot\system32\drivers\sdbus.sys
0xA5D41000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xA5D49000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xA5D61000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xA5DAA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xA5DB7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xA5DCE000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xA5DD4000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xA5DD8000 \SystemRoot\system32\drivers\wmiacpi.sys
0xA5DE1000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xA5DF3000 \SystemRoot\system32\drivers\CompositeBus.sys
0xA5600000 \SystemRoot\System32\Drivers\RootMdm.sys
0xA5608000 \SystemRoot\system32\drivers\modem.sys
0xA549E000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0xA54B0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xA5615000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xA54C8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xA54EA000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xA5502000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xA5519000 \SystemRoot\system32\DRIVERS\rassstp.sys
0xA5530000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xA5537000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0xA5620000 \SystemRoot\system32\drivers\swenum.sys
0xA5541000 \SystemRoot\system32\drivers\ks.sys
0xA5575000 \SystemRoot\system32\drivers\umbus.sys
0xA5583000 \SystemRoot\system32\DRIVERS\bpenum.sys
0xA55B6000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x82A0C000 \SystemRoot\system32\drivers\HdAudio.sys
0x82A5C000 \SystemRoot\system32\drivers\portcls.sys
0x82A8B000 \SystemRoot\system32\drivers\drmk.sys
0x82AA4000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x82D40000 \SystemRoot\System32\win32k.sys
0x82AB5000 \SystemRoot\System32\drivers\Dxapi.sys
0x82ABF000 \SystemRoot\System32\Drivers\crashdmp.sys
0x94E08000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0x82ACC000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x82ADD000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x82AF4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x82AF6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x82B01000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x82B14000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x82B1B000 \SystemRoot\System32\Drivers\LEqdUsb.Sys
0x82B24000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x82B30000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x82B3B000 \SystemRoot\System32\Drivers\LHidEqd.Sys
0x82B3C000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
0x82B44000 \SystemRoot\System32\Drivers\bpusb.sys
0x82B59000 \SystemRoot\system32\DRIVERS\monitor.sys
0x82FA0000 \SystemRoot\System32\TSDDD.dll
0x82FD0000 \SystemRoot\System32\cdd.dll
0x82B64000 \SystemRoot\system32\DRIVERS\bpmp.sys
0x82B8C000 \SystemRoot\System32\Drivers\cvusbdrv.sys
0x82B98000 \SystemRoot\system32\DRIVERS\OA001Vid.sys
0x82BDC000 \SystemRoot\system32\DRIVERS\OA001Ufd.sys
0x82C00000 \SystemRoot\System32\ATMFD.DLL
0xA5400000 \SystemRoot\system32\drivers\luafv.sys
0xA3DC9000 \SystemRoot\system32\drivers\WudfPf.sys
0xA53EE000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x82A00000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA3DE3000 \SystemRoot\system32\drivers\usbaudio.sys
0xA5DC4000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
0xA541B000 \SystemRoot\system32\drivers\WinUSB.sys
0x8F000000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0xA4A00000 \SystemRoot\System32\DRIVERS\scfilter.sys
0xA3DF7000 \SystemRoot\system32\DRIVERS\acpials.sys
0x94FBD000 \SystemRoot\system32\DRIVERS\lltdio.sys
0xAE41E000 \SystemRoot\system32\DRIVERS\nwifi.sys
0xAE464000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE474000 \SystemRoot\system32\DRIVERS\pnarp.sys
0xAE47E000 \SystemRoot\system32\DRIVERS\purendis.sys
0xAE488000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xAE49B000 \SystemRoot\system32\drivers\HTTP.sys
0xAE520000 \SystemRoot\system32\DRIVERS\bowser.sys
0xAE54B000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAE56E000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xAE5A9000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xC5C13000 \SystemRoot\system32\drivers\peauth.sys
0xC5CAA000 \SystemRoot\System32\Drivers\secdrv.SYS
0xC5CB4000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xC5CD5000 \??\C:\Windows\system32\Drivers\SSPORT.sys
0xC5CDC000 \SystemRoot\System32\drivers\tcpipreg.sys
0xC5CE9000 \SystemRoot\system32\WinFLdrv.sys
0xC5CF1000 \SystemRoot\System32\DRIVERS\srv2.sys
0xC5D41000 \SystemRoot\system32\DRIVERS\vwifimp.sys
0xC5D4A000 \SystemRoot\System32\DRIVERS\srv.sys
0xC5D9C000 \??\C:\Program Files\ThrottleStop\WinRing0.sys
0xD0677000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0xD0680000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xD06F0000 \SystemRoot\system32\DRIVERS\4856140drv.sys
0xF1C23000 \SystemRoot\system32\DRIVERS\85758208.sys
0xF2145000 \SystemRoot\system32\DRIVERS\8429222drv.sys
0x76F20000 \Windows\System32\ntdll.dll
0x47720000 \Windows\System32\smss.exe
0x77160000 \Windows\System32\apisetschema.dll
0x00770000 \Windows\System32\autochk.exe
0x77110000 \Windows\System32\ws2_32.dll
0x77060000 \Windows\System32\msvcrt.dll
0x76EF0000 \Windows\System32\imagehlp.dll
0x76EE0000 \Windows\System32\nsi.dll
0x76DC0000 \Windows\System32\wininet.dll
0x76D70000 \Windows\System32\gdi32.dll
0x76D20000 \Windows\System32\Wldap32.dll
0x76C40000 \Windows\System32\kernel32.dll
0x76BB0000 \Windows\System32\clbcatq.dll
0x76B90000 \Windows\System32\sechost.dll
0x76AC0000 \Windows\System32\msctf.dll
0x76A40000 \Windows\System32\comdlg32.dll
0x768E0000 \Windows\System32\ole32.dll
0x76740000 \Windows\System32\setupapi.dll
0x766E0000 \Windows\System32\difxapi.dll
0x765D0000 \Windows\System32\urlmon.dll
0x76520000 \Windows\System32\rpcrt4.dll
0x76510000 \Windows\System32\normaliz.dll
0x76470000 \Windows\System32\advapi32.dll
0x76460000 \Windows\System32\lpk.dll
0x75810000 \Windows\System32\shell32.dll
0x757B0000 \Windows\System32\shlwapi.dll
0x755F0000 \Windows\System32\iertutil.dll
0x755E0000 \Windows\System32\psapi.dll
0x755C0000 \Windows\System32\imm32.dll
0x754F0000 \Windows\System32\user32.dll
0x75460000 \Windows\System32\oleaut32.dll
0x753C0000 \Windows\System32\usp10.dll
0x752A0000 \Windows\System32\crypt32.dll
0x75270000 \Windows\System32\cfgmgr32.dll
0x75220000 \Windows\System32\KernelBase.dll
0x75190000 \Windows\System32\comctl32.dll
0x75170000 \Windows\System32\devobj.dll
0x75140000 \Windows\System32\wintrust.dll
0x75130000 \Windows\System32\msasn1.dll
Processes (total 95):
0 System Idle Process
4 System
328 C:\Windows\System32\smss.exe
432 csrss.exe
484 csrss.exe
492 C:\Windows\System32\wininit.exe
544 C:\Windows\System32\services.exe
584 C:\Windows\System32\lsass.exe
596 C:\Windows\System32\lsm.exe
604 C:\Windows\System32\winlogon.exe
720 C:\Windows\System32\svchost.exe
776 C:\Windows\System32\nvvsvc.exe
816 C:\Windows\System32\svchost.exe
868 C:\Windows\System32\svchost.exe
956 C:\Windows\System32\svchost.exe
1004 C:\Windows\System32\svchost.exe
1164 C:\Windows\System32\svchost.exe
1264 C:\Windows\System32\nvvsvc.exe
1296 WUDFHost.exe
1340 WUDFHost.exe
1392 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1492 C:\Windows\System32\svchost.exe
1612 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1620 C:\Windows\System32\wlanext.exe
1632 C:\Windows\System32\conhost.exe
1956 C:\Windows\System32\spoolsv.exe
2004 C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
2028 C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
360 C:\Windows\System32\svchost.exe
532 C:\Windows\System32\svchost.exe
384 C:\Windows\System32\taskeng.exe
1076 C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
1484 C:\Program Files\ThrottleStop\ThrottleStop.exe
1548 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2044 C:\Program Files\Bonjour\mDNSResponder.exe
2068 C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
2168 C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
2252 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
2296 C:\Windows\System32\java.exe
2304 C:\Windows\System32\conhost.exe
2388 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
2476 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
2592 C:\Program Files\Dell\Ambient Light Sensor\AlsSvc.exe
2744 WmiPrvSE.exe
2852 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
2892 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
3032 C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
3312 unsecapp.exe
256 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
3916 C:\Windows\System32\svchost.exe
656 C:\Windows\System32\SearchIndexer.exe
3868 C:\Windows\System32\taskhost.exe
1856 C:\Windows\System32\dwm.exe
728 C:\Windows\explorer.exe
508 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
4248 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
4256 C:\Program Files\DellTPad\Apoint.exe
4296 C:\Windows\System32\rundll32.exe
4304 C:\Program Files\Logitech\SetPointP\SetPoint.exe
4320 C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
4328 C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
4464 C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
4532 C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe
4548 C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
4720 C:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe
4980 C:\Program Files\iTunes\iTunesHelper.exe
5084 C:\Windows\System32\hkcmd.exe
5100 C:\Windows\System32\igfxpers.exe
5128 C:\Program Files\Windows Sidebar\sidebar.exe
5184 C:\Program Files\I8kfanGUI\I8kfanGUI.exe
5224 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
5316 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
5356 C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
5720 C:\Program Files\DellTPad\ApMsgFwd.exe
5756 C:\Program Files\DellTPad\hidfind.exe
5768 C:\Program Files\DellTPad\ApntEx.exe
5784 C:\Windows\System32\conhost.exe
5852 C:\Program Files\iPod\bin\iPodService.exe
5048 C:\Windows\System32\wuauclt.exe
4360 C:\Program Files\Mozilla Firefox\firefox.exe
4652 C:\Program Files\Mozilla Firefox\plugin-container.exe
4600 C:\Windows\System32\svchost.exe
7632 C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
7608 C:\Windows\System32\taskmgr.exe
1208 C:\Windows\System32\svchost.exe
7092 C:\Windows\system\svchost.exe
7676 C:\Program Files\Internet Explorer\iexplore.exe
2860 C:\Windows\System32\SearchProtocolHost.exe
6972 C:\Windows\System32\SearchFilterHost.exe
5140 C:\Windows\System32\SearchProtocolHost.exe
3600 C:\Windows\System32\audiodg.exe
2972 dllhost.exe
6592 dllhost.exe
7288 C:\Users\Avi\Desktop\MBRCheck.exe
6828 C:\Windows\System32\conhost.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
PhysicalDrive0 Model Number: WDCWD5000BEVT-00ZAT0, Rev: 01.01A01
Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
Enter your choice:
#29
Posted 22 November 2011 - 02:31 PM
akwit
- Topic Starter
-
- Member
-
- 20 posts
Member
The MBR worked (text above) but the other did not.
My system just got a blue screen and mentioned some error and then shut down.
Any next steps?
Again, thanks for your help and patience.
My system just got a blue screen and mentioned some error and then shut down.
Any next steps?
Again, thanks for your help and patience.
#30
Posted 23 November 2011 - 12:27 AM
maliprog
-
- Malware Removal
-
- 6,172 posts
Trusted Helper
Step 1
NOTE: MBR infections are very delicate and we need to take all precaution not to loose any of important data! I would strongly advice you to backup all your important data from your system before you begin with the fix.
This malware tends to disable you whole system and let you with nothing. Please backup your date.
Step 2
Here is how you can ZIP and attach file for me:
How to add an attachment to a new topic or reply
Step 3
Please download and run BDRemovalTool from Here
Please write his findgs for me and remove everything it founds.
Step 4
Please don't forget to include these items in your reply:
NOTE: MBR infections are very delicate and we need to take all precaution not to loose any of important data! I would strongly advice you to backup all your important data from your system before you begin with the fix.
This malware tends to disable you whole system and let you with nothing. Please backup your date.
Step 2
- Run MBRCheck.exe
- Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
- Please push the 'Y' key and then press Enter
- When program ask you Enter your choice: enter 1 ( [1] Dump the MBR of a physical disk to file.) and press the Enter key
- Now the program will ask you "Enter the physical disk number to fix (0-99, -1 to cancel):"
- Enter 0 and press the Enter key.
- The program will show Enter Filename to dump to:, write MBR.dat as filename
- The program will create MBR.txt file at the same directory where program is.
- Type -1 to exit MBRCheck
- ZIP and attach MBR.txt here for me please.
Here is how you can ZIP and attach file for me:
- On your desktop should be a file MBR.dat.
- Right-click that file, point to Send To, and then click Compressed (zipped) Folder.
- A new compressed file is created.
- Please attach that file in your next reply.
How to add an attachment to a new topic or reply
Step 3
Please download and run BDRemovalTool from Here
Please write his findgs for me and remove everything it founds.
Step 4
Please don't forget to include these items in your reply:
- Attach MBR.txt dump
- BDRemovalTool findings
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
