Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Redirect [Solved]

Started by rak6789 , Sep 14 2009 02:24 AM

  • This topic is locked This topic is locked

#16
Perplexus
Posted 14 September 2009 - 04:22 PM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Right click this link and choose Save As to save it to your desktop Then right click the file and select install, nothing will appear to happen it will just do its job.

Right click this link and choose Save As to save it to your desktop Then right click the file and select install, nothing will appear to happen it will just do its job

Delete any version of ComboFix you have on your desktop, then:

Download Combofix from any of the links below and save it to your desktop. You must rename it to ComboFix.com before saving it.

Link 1
Link 2

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using FireFox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to Always ask me where to Save the files
  • During the download, rename it to ComboFix.com instead of Combo-Fix.exe as shown below (change file type to All Files before saving):

    Posted Image

    Posted Image
  • It is important to rename it during the download and not after.
  • Please do not rename it to something other than what was indicated.
  • Make sure to do the following:
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • Warning: ComboFix will disconnect your machine from the internet as soon as it starts.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on ComboFix.com & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt log so we can continue cleaning the system.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

Advertisements

#17
rak6789
Posted 15 September 2009 - 01:11 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
The 2nd link came down as UnHookExec.txt how can I install that?
  • 0

#18
rak6789
Posted 15 September 2009 - 01:15 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I also still have no internet access so am moving these files via a memory stick
  • 0

#19
rak6789
Posted 15 September 2009 - 01:17 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I have assumed I've got to rename it UnHookExec.inf and install it. Which I have done, the new version of Combo-fix fails in the same manner as before.
  • 0

#20
Perplexus
Posted 15 September 2009 - 05:32 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Let's see if we can get your internet back before my next fix.

Please try the following steps:

If your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair.

Posted Image

If you have no task bar icon do this:
  • Click on the Start button.
  • Click on the Settings menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • Click on the Repair menu option.
Posted Image

Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.

If that didn't work, please try the following:

Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]

  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.
After that, Reboot your computer.

After the reboot, we will reinstall TCP/IP
  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box
After that, Reboot your computer and see if you have regained your connection.
  • 0

#21
rak6789
Posted 15 September 2009 - 06:56 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
OK tried to repair as suggested did not work.

Tried the other thing did not work.

The computer appears to connect to the wireless router OK but then fails to aquire an IP address. When I right click the network icon and view available wireless networks it says :

Windows cannot configure the wireless connection.

It seems that some other program is controlling the connection.
  • 0

#22
Perplexus
Posted 15 September 2009 - 07:52 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
  • Click on the Start button.
  • Click on the Settings menu option.
  • Click on the Control Panel option.
  • When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
  • You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
  • Click on the Properties menu option.
  • Select the Wireless Networks tab
  • Make sure that Use Windows to configure my wireless network settings is checked.

If it wasn't checked, reboot and see if this fixes the problem.
  • 0

#23
rak6789
Posted 15 September 2009 - 08:05 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
I can't find anything that says USe windows to configure my wireless network settings
  • 0

#24
Perplexus
Posted 15 September 2009 - 08:28 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Ok, I'll research that a little more, in the meantime, let's try a fix.

------------------
Step 1:
------------------

We need to create a clean copy of the file we are going to replace.

Open notepad and copy/paste the text in the code box below into it.
@echo off
copy C:\WINDOWS\system32\logevent.dll c:\eventlog.dll
Exit
Click File > Save As... and in the dropdown box for Save as type select All Files
Then in the File name box type copy.bat and hit Save

This will create a batch file name copy.bat on your desktop.

Double click copy.bat to run it. You may see a black box appear, this is normal.

------------------
Step 2:
------------------

1. Please download The Avenger by Swandog46 to your Desktop.
  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.
  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

------------------
Step 3:
------------------

Click on Start->Run, and copy-paste the following command into the "Open:" box, and click OK. 

"%userprofile%\desktop\win32kdiag.exe" -f -r
When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

------------------
Step 4:
------------------

Rerun ComboFix and post the logs.

------------------
Step 5:
------------------

Please post back with the following:
  • How your machine is running
  • c:\avenger.txt
  • Win32kDiag.txt
  • C:\ComboFix.txt

  • 0

#25
rak6789
Posted 15 September 2009 - 08:48 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
When the laptop rebooted it came up with the old one again: Windows cannot access the specified device, path or file.
  • 0

Advertisements

#26
Perplexus
Posted 15 September 2009 - 08:57 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Download SysProt Antirootkit to your desktop from HERE.
  • Unzip it into a folder on your desktop.
  • Double-click Sysprot.exe
  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • A log file named SysProtLog.txt will be saved automatically in the same folder. Open the text file and copy/paste the log here.

  • 0

#27
rak6789
Posted 15 September 2009 - 09:25 AM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here is the log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

Process:
Name: [System Idle Process]
PID: 0
Hidden: No
Window Visible: No

Name: System
PID: 4
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\smss.exe
PID: 1308
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\csrss.exe
PID: 1872
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\winlogon.exe
PID: 1904
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\services.exe
PID: 1948
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\lsass.exe
PID: 1960
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 276
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 376
Hidden: No
Window Visible: No

Name: C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PID: 432
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 456
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
PID: 560
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 724
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 784
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\WLTRYSVC.EXE
PID: 1036
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\BCMWLTRY.EXE
PID: 1060
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\spoolsv.exe
PID: 1124
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\scardsvr.exe
PID: 1172
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\svchost.exe
PID: 1224
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\WiFi\bin\EvtEng.exe
PID: 1328
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\hasplms.exe
PID: 1548
Hidden: No
Window Visible: No

Name: C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
PID: 1744
Hidden: No
Window Visible: No

Name: C:\WINDOWS\explorer.exe
PID: 1416
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
PID: 604
Hidden: No
Window Visible: No

Name: C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PID: 868
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
PID: 1016
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 1712
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\alg.exe
PID: 2220
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\WLTRAY.EXE
PID: 2740
Hidden: No
Window Visible: No

Name: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 2752
Hidden: No
Window Visible: No

Name: C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe
PID: 2772
Hidden: No
Window Visible: No

Name: C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
PID: 2812
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\Apoint.exe
PID: 2860
Hidden: No
Window Visible: No

Name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
PID: 2900
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 2988
Hidden: No
Window Visible: No

Name: C:\WINDOWS\stsystra.exe
PID: 3004
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\ApMsgFwd.exe
PID: 3016
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\hidfind.exe
PID: 3040
Hidden: No
Window Visible: No

Name: C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
PID: 3052
Hidden: No
Window Visible: No

Name: C:\Program Files\Apoint\ApntEx.exe
PID: 3060
Hidden: No
Window Visible: No

Name: C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
PID: 3068
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 3132
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\rundll32.exe
PID: 3168
Hidden: No
Window Visible: No

Name: C:\Program Files\Rockwell Automation\Rockwell Automation USB CIP Driver Package\UsbCipHelper\UsbCipHelper.exe
PID: 3180
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\ctfmon.exe
PID: 3208
Hidden: No
Window Visible: No

Name: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
PID: 3216
Hidden: No
Window Visible: No

Name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PID: 3368
Hidden: No
Window Visible: No

Name: C:\Program Files\Digital Line Detect\DLG.exe
PID: 3376
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\unsecapp.exe
PID: 1156
Hidden: No
Window Visible: No

Name: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 1496
Hidden: No
Window Visible: No

Name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PID: 2200
Hidden: No
Window Visible: No

Name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PID: 2432
Hidden: No
Window Visible: No

Name: C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PID: 2760
Hidden: No
Window Visible: No

Name: C:\Documents and Settings\Ian\Desktop\SysProt\SysProt\SysProt.exe
PID: 3708
Hidden: No
Window Visible: Yes

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \??\C:\Documents and Settings\Ian\Desktop\SysProt\SysProt\SysProtDrv.sys
Service Name: SysProtDrv.sys
Module Base: B4C49000
Module End: B4C54000
Hidden: No

Module Name: \WINDOWS\system32\ntkrnlpa.exe
Service Name: ---
Module Base: 804D7000
Module End: 806E2000
Hidden: No

Module Name: \WINDOWS\system32\hal.dll
Service Name: ---
Module Base: 806E2000
Module End: 80702C80
Hidden: No

Module Name: \WINDOWS\system32\KDCOM.DLL
Service Name: ---
Module Base: BA5A8000
Module End: BA5AA000
Hidden: No

Module Name: \WINDOWS\system32\BOOTVID.dll
Service Name: ---
Module Base: BA4B8000
Module End: BA4BB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ACPI.sys
Service Name: ACPI
Module Base: B9F79000
Module End: B9FA7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\WMILIB.SYS
Service Name: ---
Module Base: BA5AA000
Module End: BA5AC000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pci.sys
Service Name: PCI
Module Base: B9F68000
Module End: B9F79000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\isapnp.sys
Service Name: isapnp
Module Base: BA0A8000
Module End: BA0B1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ohci1394.sys
Service Name: ohci1394
Module Base: BA0B8000
Module End: BA0C7000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\1394BUS.SYS
Service Name: ---
Module Base: BA0C8000
Module End: BA0D5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\compbatt.sys
Service Name: Compbatt
Module Base: BA4BC000
Module End: BA4BF000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\BATTC.SYS
Service Name: BattC
Module Base: BA4C0000
Module End: BA4C4000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pciide.sys
Service Name: PCIIde
Module Base: BA670000
Module End: BA671000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Service Name: ---
Module Base: BA328000
Module End: BA32F000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\pcmcia.sys
Service Name: Pcmcia
Module Base: B9F4A000
Module End: B9F68000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\MountMgr.sys
Service Name: MountMgr
Module Base: BA0D8000
Module End: BA0E3000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\ftdisk.sys
Service Name: Disk
Module Base: B9F2B000
Module End: B9F4A000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PartMgr.sys
Service Name: PartMgr
Module Base: BA330000
Module End: BA335000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\VolSnap.sys
Service Name: VolSnap
Module Base: BA0E8000
Module End: BA0F5000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\atapi.sys
Service Name: atapi
Module Base: B9F13000
Module End: B9F2B000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\cercsr6.sys
Service Name: cercsr6
Module Base: BA338000
Module End: BA340000
Hidden: No

Module Name: \WINDOWS\System32\Drivers\SCSIPORT.SYS
Service Name: ScsiPort
Module Base: B9EFB000
Module End: B9F13000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\disk.sys
Service Name: ---
Module Base: BA0F8000
Module End: BA101000
Hidden: No

Module Name: \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Service Name: ---
Module Base: BA108000
Module End: BA115000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\fltMgr.sys
Service Name: FltMgr
Module Base: B9EDB000
Module End: B9EFB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sr.sys
Service Name: sr
Module Base: B9EC9000
Module End: B9EDB000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\KSecDD.sys
Service Name: KSecDD
Module Base: B9EB2000
Module End: B9EC9000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Ntfs.sys
Service Name: Ntfs
Module Base: B9E25000
Module End: B9EB2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\inspect.sys
Service Name: Inspect
Module Base: B9E11000
Module End: B9E25000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\NDIS.SYS
Service Name: NDIS
Module Base: B9DE4000
Module End: B9E11000
Hidden: No

Module Name: \WINDOWS\System32\DRIVERS\TDI.SYS
Service Name: ---
Module Base: BA340000
Module End: BA345000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\PBADRV.sys
Service Name: PBADRV
Module Base: BA118000
Module End: BA123000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\Mup.sys
Service Name: Mup
Module Base: B9DC9000
Module End: B9DE4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Service Name: intelppm
Module Base: BA138000
Module End: BA141000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
Service Name: WmiAcpi
Module Base: BA598000
Module End: BA59B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Service Name: CmBatt
Module Base: BA59C000
Module End: BA5A0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Service Name: nv
Module Base: B925A000
Module End: B98E6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Service Name: ---
Module Base: B9246000
Module End: B925A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Service Name: HDAudBus
Module Base: B9220000
Module End: B9246000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
Service Name: NETw5x32
Module Base: B8EA9000
Module End: B9220000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\b57xp32.sys
Service Name: b57w2k
Module Base: B8E7E000
Module End: B8EA9000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Service Name: usbuhci
Module Base: BA3E8000
Module End: BA3ED000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Service Name: ---
Module Base: B8E5B000
Module End: B8E7E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Service Name: usbehci
Module Base: BA3F0000
Module End: BA3F7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\PcmkWdm.sys
Service Name: PcmkWdm
Module Base: BA3F8000
Module End: BA3FF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Service Name: NIC1394
Module Base: BA148000
Module End: BA158000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Service Name: i8042prt
Module Base: BA158000
Module End: BA165000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
Service Name: ApfiltrService
Module Base: B8E37000
Module End: B8E5B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Service Name: Mouclass
Module Base: BA400000
Module End: BA406000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Service Name: Kbdclass
Module Base: BA408000
Module End: BA40E000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serial.sys
Service Name: Serial
Module Base: BA168000
Module End: BA178000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\serenum.sys
Service Name: serenum
Module Base: BA5A4000
Module End: BA5A8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\imapi.sys
Service Name: Imapi
Module Base: BA178000
Module End: BA183000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Service Name: Cdrom
Module Base: BA188000
Module End: BA195000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\redbook.sys
Service Name: redbook
Module Base: BA198000
Module End: BA1A7000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ks.sys
Service Name: ---
Module Base: B8E14000
Module End: B8E37000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\tosrfcom.sys
Service Name: Tosrfcom
Module Base: BA1A8000
Module End: BA1B8000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
Service Name: Srv
Module Base: BA1B8000
Module End: BA1C7000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\alertdrv.sys
Service Name: AlertDrv
Module Base: BA712000
Module End: BA713000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\audstub.sys
Service Name: audstub
Module Base: BA713000
Module End: BA714000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\RootMdm.sys
Service Name: ROOTMODEM
Module Base: BA5DC000
Module End: BA5DE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Modem.SYS
Service Name: Modem
Module Base: BA410000
Module End: BA418000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Service Name: Rasl2tp
Module Base: BA1C8000
Module End: BA1D5000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Service Name: NdisTapi
Module Base: B9D9D000
Module End: B9DA0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Service Name: NdisWan
Module Base: B8DFD000
Module End: B8E14000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Service Name: RasPppoe
Module Base: BA1D8000
Module End: BA1E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Service Name: PptpMiniport
Module Base: BA1E8000
Module End: BA1F4000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\psched.sys
Service Name: PSched
Module Base: B8DEC000
Module End: B8DFD000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Service Name: Gpc
Module Base: BA1F8000
Module End: BA201000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Service Name: Ptilink
Module Base: BA418000
Module End: BA41D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\raspti.sys
Service Name: Raspti
Module Base: BA420000
Module End: BA425000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Service Name: rdpdr
Module Base: B8DBB000
Module End: B8DEC000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\termdd.sys
Service Name: TermDD
Module Base: BA208000
Module End: BA212000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\S7oppilx.sys
Service Name: S7oppilx
Module Base: B8D75000
Module End: B8D93000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\swenum.sys
Service Name: swenum
Module Base: BA5DE000
Module End: BA5E0000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\update.sys
Service Name: Update
Module Base: B8D1C000
Module End: B8D75000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Service Name: mssmbios
Module Base: B9D89000
Module End: B9D8D000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\windrvr6.sys
Service Name: WinDriver6
Module Base: B8CF0000
Module End: B8D1C000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tosporte.sys
Service Name: tosporte
Module Base: BA218000
Module End: BA223000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Service Name: NDProxy
Module Base: BA228000
Module End: BA232000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sthda.sys
Service Name: STHDA
Module Base: B6BD1000
Module End: B6CF0000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\portcls.sys
Service Name: ---
Module Base: B6BAF000
Module End: B6BD1000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\drmk.sys
Service Name: ---
Module Base: BA238000
Module End: BA247000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
Service Name: HSFHWAZL
Module Base: B6B7D000
Module End: B6BAF000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
Service Name: HSF_DPV
Module Base: B6A80000
Module End: B6B7D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
Service Name: winachsf
Module Base: B69D0000
Module End: B6A80000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Service Name: usbhub
Module Base: BA258000
Module End: BA267000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Service Name: ---
Module Base: BA5E6000
Module End: BA5E8000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cmdguard.sys
Service Name: cmdGuard
Module Base: B6989000
Module End: B69A8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Service Name: Fs_Rec
Module Base: BA5EC000
Module End: BA5EE000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Null.SYS
Service Name: Null
Module Base: BA7A4000
Module End: BA7A5000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Beep.SYS
Service Name: Beep
Module Base: BA5EE000
Module End: BA5F0000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\vga.sys
Service Name: VgaSave
Module Base: BA440000
Module End: BA446000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Service Name: mnmdd
Module Base: BA5F0000
Module End: BA5F2000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Service Name: RDPCDD
Module Base: BA5F2000
Module End: BA5F4000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Msfs.SYS
Service Name: Msfs
Module Base: BA448000
Module End: BA44D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Npfs.SYS
Service Name: Npfs
Module Base: BA450000
Module End: BA458000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Service Name: RasAcd
Module Base: BA56C000
Module End: BA56F000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Service Name: IPSec
Module Base: B6956000
Module End: B6969000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Service Name: Tcpip
Module Base: B68FE000
Module End: B6956000
Hidden: No

Module Name: C:\WINDOWS\System32\DRIVERS\cmdhlp.sys
Service Name: cmdHlp
Module Base: BA458000
Module End: BA45D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Service Name: IpNat
Module Base: B68B5000
Module End: B68D6000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbt.sys
Service Name: NetBT
Module Base: B688D000
Module End: B68B5000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Service Name: WS2IFSL
Module Base: BA588000
Module End: BA58B000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\afd.sys
Service Name: AFD
Module Base: B686B000
Module End: B688D000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\netbios.sys
Service Name: NetBIOS
Module Base: BA268000
Module End: BA271000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\Drivers\vmm.sys
Service Name: vmm
Module Base: B6830000
Module End: B686B000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Service Name: Wanarp
Module Base: BA278000
Module End: BA281000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Service Name: Rdbss
Module Base: B6805000
Module End: B6830000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
Service Name: OMCI
Module Base: B8DB7000
Module End: B8DBB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Service Name: MRxSmb
Module Base: B66CE000
Module End: B673D000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fips.SYS
Service Name: Fips
Module Base: BA298000
Module End: BA2A1000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Service Name: Arp1394
Module Base: BA2A8000
Module End: BA2B7000
Hidden: No

Module Name: C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
Service Name: APPDRV
Module Base: B8DAB000
Module End: B8DAF000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Service Name: Cdfs
Module Base: BA2D8000
Module End: BA2E8000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\oz776.sys
Service Name: guardian2
Module Base: BA2E8000
Module End: BA2F6000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\SMCLIB.SYS
Service Name: ---
Module Base: B8D97000
Module End: B8D9B000
Hidden: No

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B6610000
Module End: B6628000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA600000
Module End: BA602000
Hidden: Yes

Module Name: C:\WINDOWS\System32\drivers\Dxapi.sys
Service Name: ---
Module Base: B66A6000
Module End: B66A9000
Hidden: No

Module Name: C:\WINDOWS\System32\watchdog.sys
Service Name: ---
Module Base: BA480000
Module End: BA485000
Hidden: No

Module Name: C:\WINDOWS\System32\drivers\dxgthk.sys
Service Name: ---
Module Base: BA6E2000
Module End: BA6E3000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Service Name: Ndisuio
Module Base: B5CE7000
Module End: B5CEB000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Service Name: s24trans
Module Base: B5CDF000
Module End: B5CE2000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Service Name: MRxDAV
Module Base: B59FB000
Module End: B5A27000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\Haspnt.sys
Service Name: Haspnt
Module Base: B5B77000
Module End: B5B83000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\S7otranx.sys
Service Name: s7otranx
Module Base: B595F000
Module End: B59D3000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\aksfridge.sys
Service Name: aksfridge
Module Base: B5905000
Module End: B595F000
Hidden: No

Module Name: \??\C:\WINDOWS\system32\drivers\hardlock.sys
Service Name: Hardlock
Module Base: B5875000
Module End: B5905000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Service Name: Fastfat
Module Base: B5852000
Module End: B5875000
Hidden: No

Module Name: \??\C:\WINDOWS\System32\Machnm32.sys
Service Name: Machnm32
Module Base: BA737000
Module End: BA738000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
Service Name: mdmxsdk
Module Base: B5A27000
Module End: B5A2A000
Hidden: No

Module Name: C:\WINDOWS\system32\DRIVERS\srv.sys
Service Name: ---
Module Base: B5690000
Module End: B56E2000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\wdmaud.sys
Service Name: wdmaud
Module Base: B562B000
Module End: B5640000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\sysaudio.sys
Service Name: sysaudio
Module Base: B578A000
Module End: B5799000
Hidden: No

Module Name: C:\WINDOWS\System32\Drivers\HTTP.sys
Service Name: HTTP
Module Base: B4E77000
Module End: B4EB8000
Hidden: No

Module Name: C:\WINDOWS\system32\drivers\kmixer.sys
Service Name: kmixer
Module Base: B48CE000
Module End: B48F9000
Hidden: No

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAdjustPrivilegesToken
Address: B698DF4A
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwConnectPort
Address: B698D454
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateFile
Address: B698DAEE
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreatePort
Address: B698D132
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSection
Address: B698F1D6
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateSymbolicLinkObject
Address: B698F4AE
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwCreateThread
Address: B698CCF8
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteKey
Address: B698E130
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDeleteValueKey
Address: B698E2E0
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwDuplicateObject
Address: B698CA5A
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwLoadDriver
Address: B698EE58
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwMakeTemporaryObject
Address: B698D6D8
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenFile
Address: B698DD32
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenProcess
Address: B698C78A
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenSection
Address: B698D968
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwOpenThread
Address: B698C902
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRenameKey
Address: B698E88C
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwRequestWaitReplyPort
Address: B698D250
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSecureConnectPort
Address: B698EBF4
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetSystemInformation
Address: B698F006
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSetValueKey
Address: B698E68C
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwShutdownSystem
Address: B698D672
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwSystemDebugControl
Address: B698D85C
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateProcess
Address: B698CFFC
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

Function Name: ZwTerminateThread
Address: B698CECA
Driver Base: B6989000
Driver End: B69A8000
Driver Name: \SystemRoot\System32\DRIVERS\cmdguard.sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\disk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: B59074EF
Hooking Module: \??\C:\WINDOWS\system32\drivers\aksfridge.sys

******************************************************************************************
******************************************************************************************
Ports:
Local Address: 820I:10001
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
State: LISTENING

Local Address: 820I:1026
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: 820I:1947
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\hasplms.exe
State: LISTENING

Local Address: 820I:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: 820I:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: 820I:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: 820I:1030
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: 820I:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: 820I:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: 820I:1947
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\hasplms.exe
State: NA

Local Address: 820I:1025
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\hasplms.exe
State: NA

Local Address: 820I:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: 820I:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\929c2fe5e721a75cdfdb16\amd64\filterpipelineprintproc.dll
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\amd64\msxpsdrv.cat
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\amd64\msxpsdrv.inf
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\amd64\msxpsinc.gpd
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\amd64\msxpsinc.ppd
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\amd64\mxdwdrv.dll
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\amd64\xpssvcs.dll
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\filterpipelineprintproc.dll
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\msxpsdrv.cat
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\msxpsdrv.inf
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\msxpsinc.gpd
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\msxpsinc.ppd
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\mxdwdrv.dll
Status: Access denied

Object: C:\929c2fe5e721a75cdfdb16\i386\xpssvcs.dll
Status: Access denied
  • 0

#28
Perplexus
Posted 15 September 2009 - 09:51 AM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
Can you try disabling the Comodo Firewall and see if ComboFix will run?

If that doesn't work:

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
  • 0

#29
rak6789
Posted 15 September 2009 - 03:20 PM

rak6789

    Member

  • Topic Starter
  • Member
  • PipPip
  • 23 posts
Here is the gmer log file:

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-15 22:17:51
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Ian\LOCALS~1\Temp\pxtdqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xB68A8F4A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwConnectPort [0xB68A8454]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateFile [0xB68A8AEE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreatePort [0xB68A8132]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSection [0xB68AA1D6]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xB68AA4AE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwCreateThread [0xB68A7CF8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteKey [0xB68A9130]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDeleteValueKey [0xB68A92E0]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwDuplicateObject [0xB68A7A5A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwLoadDriver [0xB68A9E58]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwMakeTemporaryObject [0xB68A86D8]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenFile [0xB68A8D32]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenProcess [0xB68A778A]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenSection [0xB68A8968]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwOpenThread [0xB68A7902]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRenameKey [0xB68A988C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwRequestWaitReplyPort [0xB68A8250]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSecureConnectPort [0xB68A9BF4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetSystemInformation [0xB68AA006]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSetValueKey [0xB68A968C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwShutdownSystem [0xB68A8672]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwSystemDebugControl [0xB68A885C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateProcess [0xB68A7FFC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Internet Security Sandbox Driver/COMODO) ZwTerminateThread [0xB68A7ECA]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D7FEC]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FEC] ZwCreateKey [0x804D7FEC]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D7FF1]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FF1] ZwOpenKey [0x804D7FF1]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D7FFB
INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B5ACB16D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B5ACAFC2

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[2220] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 02526DCE C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 025272BA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 02525BBB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 0252737D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0252724D C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!ReadFile 7C80180E 7 Bytes JMP 02525AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 025273E3 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CreateFileMappingW 7C8093AA 5 Bytes JMP 02526C79 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CloseHandle 7C809B57 5 Bytes JMP 0252595F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetDriveTypeW 7C80B2E0 5 Bytes JMP 025261DA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 025265B6 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!DuplicateHandle 7C80DE0E 7 Bytes JMP 02526AEA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 0252633F C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!FindClose 7C80EDE7 7 Bytes JMP 02526261 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 025262BB C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 02526035 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetFileSizeEx 7C810A19 5 Bytes JMP 025266AD C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetFileInformationByHandle 7C810C7D 5 Bytes JMP 02526A54 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 025259B9 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 025264E4 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetLongPathNameW 7C813363 5 Bytes JMP 02526EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetShortPathNameW 7C81F27E 5 Bytes JMP 02526F53 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!MoveFileWithProgressW 7C81F73E 5 Bytes JMP 02526725 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!SetFilePointerEx 7C821067 5 Bytes JMP 02527202 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CopyFileExW 7C827B42 7 Bytes JMP 02525C61 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 02525BDA C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 0252718A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 02526BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!SetFileAttributesW 7C8314F5 5 Bytes JMP 0252644C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetOverlappedResult 7C8315E4 5 Bytes JMP 025269D0 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 02526135 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!SetEndOfFile 7C83208E 5 Bytes JMP 02527001 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!FlushViewOfFile 7C8359B9 5 Bytes JMP 02526D63 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!RemoveDirectoryW 7C836FA3 5 Bytes JMP 02525E5A C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!BackupRead 7C856F6F 5 Bytes JMP 02526E31 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CreateDirectoryExW 7C85A782 5 Bytes JMP 02525F4C C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!WriteFileEx 7C85C891 5 Bytes JMP 02525A83 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!GetCompressedFileSizeW 7C85D501 5 Bytes JMP 02527108 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] kernel32.dll!CreateHardLinkW 7C86B65C 7 Bytes JMP 02527236 C:\WINDOWS\system32\wxvault.dll
.text C:\WINDOWS\Explorer.EXE[2220] USER32.dll!ExitWindowsEx 7E45A045 5 Bytes JMP 025271E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 10006DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 100072BA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10005BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 1000737D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 1000724D C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!ReadFile 7C80180E 7 Bytes JMP 10005AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 100073E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CreateFileMappingW 7C8093AA 5 Bytes JMP 10006C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CloseHandle 7C809B57 5 Bytes JMP 1000595F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetDriveTypeW 7C80B2E0 5 Bytes JMP 100061DA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 100065B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!DuplicateHandle 7C80DE0E 7 Bytes JMP 10006AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 1000633F C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!FindClose 7C80EDE7 7 Bytes JMP 10006261 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 100062BB C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 10006035 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetFileSizeEx 7C810A19 5 Bytes JMP 100066AD C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetFileInformationByHandle 7C810C7D 5 Bytes JMP 10006A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 100059B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 100064E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetLongPathNameW 7C813363 5 Bytes JMP 10006EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetShortPathNameW 7C81F27E 5 Bytes JMP 10006F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!MoveFileWithProgressW 7C81F73E 5 Bytes JMP 10006725 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!SetFilePointerEx 7C821067 5 Bytes JMP 10007202 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CopyFileExW 7C827B42 7 Bytes JMP 10005C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 10005BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 1000718A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 10006BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!SetFileAttributesW 7C8314F5 5 Bytes JMP 1000644C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetOverlappedResult 7C8315E4 5 Bytes JMP 100069D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 10006135 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!SetEndOfFile 7C83208E 5 Bytes JMP 10007001 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!FlushViewOfFile 7C8359B9 5 Bytes JMP 10006D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!RemoveDirectoryW 7C836FA3 5 Bytes JMP 10005E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!BackupRead 7C856F6F 5 Bytes JMP 10006E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CreateDirectoryExW 7C85A782 5 Bytes JMP 10005F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!WriteFileEx 7C85C891 5 Bytes JMP 10005A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!GetCompressedFileSizeW 7C85D501 5 Bytes JMP 10007108 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] kernel32.dll!CreateHardLinkW 7C86B65C 7 Bytes JMP 10007236 C:\WINDOWS\system32\wxvault.dll
.text C:\Documents and Settings\Ian\Desktop\gmer.exe[2752] USER32.dll!ExitWindowsEx 7E45A045 5 Bytes JMP 100071E7 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] ntdll.dll!NtFlushVirtualMemory 7C90D35E 5 Bytes JMP 00336DCE C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003372BA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 00335BBB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] ntdll.dll!NtUnmapViewOfSection 7C90DF0E 5 Bytes JMP 0033737D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0033724D C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!ReadFile 7C80180E 7 Bytes JMP 00335AF1 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 003373E3 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CreateFileMappingW 7C8093AA 5 Bytes JMP 00336C79 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CloseHandle 7C809B57 5 Bytes JMP 0033595F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetDriveTypeW 7C80B2E0 5 Bytes JMP 003361DA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetFileAttributesW 7C80B75C 5 Bytes JMP 003365B6 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!DuplicateHandle 7C80DE0E 7 Bytes JMP 00336AEA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!FindFirstFileExW 7C80EA8D 5 Bytes JMP 0033633F C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!FindClose 7C80EDE7 7 Bytes JMP 00336261 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!FindNextFileW 7C80EF4A 7 Bytes JMP 003362BB C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00336035 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetFileSizeEx 7C810A19 5 Bytes JMP 003366AD C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetFileInformationByHandle 7C810C7D 5 Bytes JMP 00336A54 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!WriteFile 7C810D97 7 Bytes JMP 003359B9 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetFileAttributesExW 7C811105 5 Bytes JMP 003364E4 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetLongPathNameW 7C813363 5 Bytes JMP 00336EA5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetShortPathNameW 7C81F27E 5 Bytes JMP 00336F53 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!MoveFileWithProgressW 7C81F73E 5 Bytes JMP 00336725 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!SetFilePointerEx 7C821067 5 Bytes JMP 00337202 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CopyFileExW 7C827B42 7 Bytes JMP 00335C61 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!ReadFileEx 7C82BD0B 5 Bytes JMP 00335BDA C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!WriteFileGather 7C82DDB5 7 Bytes JMP 0033718A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!ReadFileScatter 7C82DE61 7 Bytes JMP 00336BE5 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!SetFileAttributesW 7C8314F5 5 Bytes JMP 0033644C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetOverlappedResult 7C8315E4 5 Bytes JMP 003369D0 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!DeleteFileW 7C831F7B 5 Bytes JMP 00336135 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!SetEndOfFile 7C83208E 5 Bytes JMP 00337001 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!FlushViewOfFile 7C8359B9 5 Bytes JMP 00336D63 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!RemoveDirectoryW 7C836FA3 5 Bytes JMP 00335E5A C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!BackupRead 7C856F6F 5 Bytes JMP 00336E31 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CreateDirectoryExW 7C85A782 5 Bytes JMP 00335F4C C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!WriteFileEx 7C85C891 5 Bytes JMP 00335A83 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!GetCompressedFileSizeW 7C85D501 5 Bytes JMP 00337108 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] kernel32.dll!CreateHardLinkW 7C86B65C 7 Bytes JMP 00337236 C:\WINDOWS\system32\wxvault.dll
.text C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe[2760] USER32.dll!ExitWindowsEx 7E45A045 5 Bytes JMP 003371E7 C:\WINDOWS\system32\wxvault.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\VMNetSrv.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B9E12740] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B9E12780] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B9E126E0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B9E127B0] inspect.sys (COMODO Internet Security Firewall Driver/COMODO)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Internet Security Helper Driver/COMODO)

Device \Driver\Disk \Device\Harddisk1\DR2 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)
Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F4A3901F5451D574FA396AAD2001DF25\Usage@CXOne 992981572
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs wxvault.dll C:\WINDOWS\system32\guard32.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Files - GMER 1.0.15 ----

File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0043529.dll 59904 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0043529.dll.info 230 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0045281.exe 1536 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\A0045281.exe.info 264 bytes
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\zip.exe 135168 bytes executable
File C:\Program Files\COMODO\COMODO Internet Security\Quarantine\zip.exe.info 116 bytes
ADS C:\System Volume Information\_restore{A514C1CC-499A-484A-B67E-3584577FFCF7}\RP134\A0045252.sys:1 8704 bytes executable

---- EOF - GMER 1.0.15 ----
  • 0

#30
Perplexus
Posted 15 September 2009 - 07:07 PM

Perplexus

    Lord of the Geeks

  • Malware Removal
  • 1,185 posts
If this doesn't work, I'm thinking we may have to uninstall Comodo. Would that be a problem?

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
    Posted Image
  • Click on the “Execute selected scripts”.
  • Automatic scanning, healing and system check will be executed.
  • A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  • It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
  • All applications will work properly after the system restart.

When restarted

  • Start AVZ.
  • Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
    Posted Image
  • Click on the "Execute selected scripts".
  • A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP