Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Infected with some kind of trojan/rootkit
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Infected with some kind of trojan/rootkit

 Post Reply Post Reply
Author
Message
jaydee77ca View Drop Down
Newbie
Newbie


Joined: 16 July 2009
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote jaydee77ca Quote  Post ReplyReply Direct Link To This Post Topic: Infected with some kind of trojan/rootkit
    Posted: 16 July 2009 at 5:12am
Hi,
 
I'm hoping someone can help me. I noticed odd behaviour with my PC a day or so ago. First it started freezing, then Windows Defender couldn't update, then Malwarebytes Anti-malware and Spybot S&D wouldn't run, then I couldn't access the internet. I managed to boot into safe mode, run some online scans from Trend Micro and Kaspersky, clean some stuff up, and then I managed to get Malwarebytes Anti-malware to run which found and removed more stuff, namely a trojan:dnschanger. Now Malwarebytes Anti-malware doesn't find anything but I'm still having problems. The computer still freezes and Spybot S&D still won't run. I ran RootAlyzer and RootRepeal and they've identified a driver and some files hidden from Win32. How can I remove these files and the driver? Would someone be able to help me get back to normal? Much thanks!
 
Here is the log from RootAlyzer:
 
:: RootAlyzer Results
File:"Hidden file","C:\WINDOWS\system32\ESQULijvfmysudmhuxxqgwhtbbsemvduaeddo.dll"
File:"Hidden file","C:\WINDOWS\system32\ESQULvtogviqwwgiaxeibmjnwbtyvblwhluic.dll"
File:"Hidden file","C:\WINDOWS\system32\ESQULzcounter"
File:"No admin in ACL","C:\WINDOWS\{00000005-00000000-00000007-00001102-00000008-10211102}.CDF"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULijvfmysudmhuxxqgwhtbbsemvduaeddo.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULvtogviqwwgiaxeibmjnwbtyvblwhluic.dll"
File:"Invisible to Win32","C:\WINDOWS\system32\ESQULzcounter"
File:"Invisible to Win32","C:\WINDOWS\system32\drivers\ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{1B2D3721-11d6-5795-D000-869CD73B8EB7}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{48FCFB81-480E-11d7-9C86-00D0B78E3BD7}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{59639116-11D1-D955-A000-9D9D737F8EC9}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{8C0F8B81-11D1-DE1A-4544-24B700005453}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{9D74D2A0-11D1-DAE5-A000-9D9D737F8EC9}.rdf"
File:"No admin in ACL","C:\WINDOWS\system32\Defaults\MX0008_10211102{B591EC40-11D1-DBC3-A000-9D9D737F8EC9}.rdf"
File:"No admin in ACL","C:\Documents and Settings\All Users\Application Data\Idea Spectrum\Realtime Landscaping Architect 2\code.dat"
RootRepeal also finds the following hidden driver:
 
Name: ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Address: 0xBA29C000 Size: 192512 File Visible: - Signed: -
Status: Hidden from the Windows API!
 
 
Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 757
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 5:28am
Download and run RootRepeal(hidden file scan option only), highlight ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys, right click and select wipe file option then reboot immediately. Then try running MBAM again to clean up the leftovers.
Back to Top
jaydee77ca View Drop Down
Newbie
Newbie


Joined: 16 July 2009
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote jaydee77ca Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 1:17pm
Hi nullptr,
 
Thanks for your help! When I ran the Files scan in RootRepeal I got the following error:
 
"Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialog."
 
After I click OK it says:
 
"DeviceIoControl Error! Error Code = 0xc0000001"
 
There are no results listed.
 
I tried the other settings for Disk Access Level and the only one that worked a bit better was Middle. It got a bit farther, then gave the same error. It doesn't show the ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys file though. That file does show up in the Drivers scan. Can I wipe it from there?
 
Here are the file scan and driver scan logs:
 
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:   2009/07/16 07:13
Program Version:  Version 1.3.2.0
Windows Version:  Windows XP SP3
==================================================
Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!
Path: Volume C:\, Sector 1
Status: Sector mismatch
Path: Volume C:\, Sector 2
Status: Sector mismatch
Path: Volume C:\, Sector 3
Status: Sector mismatch
Path: Volume C:\, Sector 4
Status: Sector mismatch
Path: Volume C:\, Sector 5
Status: Sector mismatch
Path: Volume C:\, Sector 6
Status: Sector mismatch
Path: Volume C:\, Sector 7
Status: Sector mismatch
Path: Volume C:\, Sector 8
Status: Sector mismatch
Path: Volume C:\, Sector 9
Status: Sector mismatch
Path: Volume C:\, Sector 10
Status: Sector mismatch
Path: Volume C:\, Sector 11
Status: Sector mismatch
Path: Volume C:\, Sector 12
Status: Sector mismatch
Path: Volume C:\, Sector 13
Status: Sector mismatch
Path: Volume C:\, Sector 14
Status: Sector mismatch
Path: Volume C:\, Sector 15
Status: Sector mismatch
Path: Volume C:\, Sector 16
Status: Sector mismatch
Path: Volume C:\, Sector 17
Status: Sector mismatch
Path: Volume C:\, Sector 18
Status: Sector mismatch
Path: Volume C:\, Sector 19
Status: Sector mismatch
Path: Volume C:\, Sector 20
Status: Sector mismatch
Path: Volume C:\, Sector 21
Status: Sector mismatch
Path: Volume C:\, Sector 22
Status: Sector mismatch
Path: Volume C:\, Sector 23
Status: Sector mismatch
Path: Volume C:\, Sector 24
Status: Sector mismatch
Path: Volume C:\, Sector 25
Status: Sector mismatch
Path: Volume C:\, Sector 26
Status: Sector mismatch
Path: Volume C:\, Sector 27
Status: Sector mismatch
Path: Volume C:\, Sector 28
Status: Sector mismatch
Path: Volume C:\, Sector 29
Status: Sector mismatch
Path: Volume C:\, Sector 30
Status: Sector mismatch
Path: Volume C:\, Sector 31
Status: Sector mismatch
Path: Volume C:\, Sector 32
Status: Sector mismatch
Path: Volume C:\, Sector 33
Status: Sector mismatch
Path: Volume C:\, Sector 34
Status: Sector mismatch
Path: Volume C:\, Sector 35
Status: Sector mismatch
Path: Volume C:\, Sector 36
Status: Sector mismatch
Path: Volume C:\, Sector 37
Status: Sector mismatch
Path: Volume C:\, Sector 38
Status: Sector mismatch
Path: Volume C:\, Sector 39
Status: Sector mismatch
Path: Volume C:\, Sector 40
Status: Sector mismatch
Path: Volume C:\, Sector 41
Status: Sector mismatch
Path: Volume C:\, Sector 42
Status: Sector mismatch
Path: Volume C:\, Sector 43
Status: Sector mismatch
Path: Volume C:\, Sector 44
Status: Sector mismatch
Path: Volume C:\, Sector 45
Status: Sector mismatch
Path: Volume C:\, Sector 46
Status: Sector mismatch
Path: Volume C:\, Sector 47
Status: Sector mismatch
Path: Volume C:\, Sector 48
Status: Sector mismatch
Path: Volume C:\, Sector 49
Status: Sector mismatch
Path: Volume C:\, Sector 50
Status: Sector mismatch
Path: Volume C:\, Sector 51
Status: Sector mismatch
Path: Volume C:\, Sector 52
Status: Sector mismatch
Path: Volume C:\, Sector 53
Status: Sector mismatch
Path: Volume C:\, Sector 54
Status: Sector mismatch
Path: Volume C:\, Sector 55
Status: Sector mismatch
Path: Volume C:\, Sector 56
Status: Sector mismatch
Path: Volume C:\, Sector 57
Status: Sector mismatch
Path: Volume C:\, Sector 58
Status: Sector mismatch
Path: Volume C:\, Sector 59
Status: Sector mismatch
Path: Volume C:\, Sector 60
Status: Sector mismatch
Path: Volume C:\, Sector 61
Status: Sector mismatch
Path: Volume C:\, Sector 62
Status: Sector mismatch
Path: Volume D:\
Status: MBR Rootkit Detected!
Path: Volume D:\, Sector 1
Status: Sector mismatch
Path: Volume D:\, Sector 2
Status: Sector mismatch
Path: Volume D:\, Sector 3
Status: Sector mismatch
Path: Volume D:\, Sector 4
Status: Sector mismatch
Path: Volume D:\, Sector 5
Status: Sector mismatch
Path: Volume D:\, Sector 6
Status: Sector mismatch
Path: Volume D:\, Sector 7
Status: Sector mismatch
Path: Volume D:\, Sector 8
Status: Sector mismatch
Path: Volume D:\, Sector 9
Status: Sector mismatch
Path: Volume D:\, Sector 10
Status: Sector mismatch
Path: Volume D:\, Sector 11
Status: Sector mismatch
Path: Volume D:\, Sector 12
Status: Sector mismatch
Path: Volume D:\, Sector 13
Status: Sector mismatch
Path: Volume D:\, Sector 14
Status: Sector mismatch
Path: Volume D:\, Sector 15
Status: Sector mismatch
Path: Volume D:\, Sector 16
Status: Sector mismatch
Path: Volume D:\, Sector 17
Status: Sector mismatch
Path: Volume D:\, Sector 18
Status: Sector mismatch
Path: Volume D:\, Sector 19
Status: Sector mismatch
Path: Volume D:\, Sector 20
Status: Sector mismatch
Path: Volume D:\, Sector 21
Status: Sector mismatch
Path: Volume D:\, Sector 22
Status: Sector mismatch
Path: Volume D:\, Sector 23
Status: Sector mismatch
Path: Volume D:\, Sector 24
Status: Sector mismatch
Path: Volume D:\, Sector 25
Status: Sector mismatch
Path: Volume D:\, Sector 26
Status: Sector mismatch
Path: Volume D:\, Sector 27
Status: Sector mismatch
Path: Volume D:\, Sector 28
Status: Sector mismatch
Path: Volume D:\, Sector 29
Status: Sector mismatch
Path: Volume D:\, Sector 30
Status: Sector mismatch
Path: Volume D:\, Sector 31
Status: Sector mismatch
Path: Volume D:\, Sector 32
Status: Sector mismatch
Path: Volume D:\, Sector 33
Status: Sector mismatch
Path: Volume D:\, Sector 34
Status: Sector mismatch
Path: Volume D:\, Sector 35
Status: Sector mismatch
Path: Volume D:\, Sector 36
Status: Sector mismatch
Path: Volume D:\, Sector 37
Status: Sector mismatch
Path: Volume D:\, Sector 38
Status: Sector mismatch
Path: Volume D:\, Sector 39
Status: Sector mismatch
Path: Volume D:\, Sector 40
Status: Sector mismatch
Path: Volume D:\, Sector 41
Status: Sector mismatch
Path: Volume D:\, Sector 42
Status: Sector mismatch
Path: Volume D:\, Sector 43
Status: Sector mismatch
Path: Volume D:\, Sector 44
Status: Sector mismatch
Path: Volume D:\, Sector 45
Status: Sector mismatch
Path: Volume D:\, Sector 46
Status: Sector mismatch
Path: Volume D:\, Sector 47
Status: Sector mismatch
Path: Volume D:\, Sector 48
Status: Sector mismatch
Path: Volume D:\, Sector 49
Status: Sector mismatch
Path: Volume D:\, Sector 50
Status: Sector mismatch
Path: Volume D:\, Sector 51
Status: Sector mismatch
Path: Volume D:\, Sector 52
Status: Sector mismatch
Path: Volume D:\, Sector 53
Status: Sector mismatch
Path: Volume D:\, Sector 54
Status: Sector mismatch
Path: Volume D:\, Sector 55
Status: Sector mismatch
Path: Volume D:\, Sector 56
Status: Sector mismatch
Path: Volume D:\, Sector 57
Status: Sector mismatch
Path: Volume D:\, Sector 58
Status: Sector mismatch
Path: Volume D:\, Sector 59
Status: Sector mismatch
Path: Volume D:\, Sector 60
Status: Sector mismatch
Path: Volume D:\, Sector 61
Status: Sector mismatch
Path: Volume D:\, Sector 62
Status: Sector mismatch
 
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:   2009/07/16 07:15
Program Version:  Version 1.3.2.0
Windows Version:  Windows XP SP3
==================================================
Drivers
-------------------
Name: aardb7bg.SYS
Image Path: C:\WINDOWS\System32\Drivers\aardb7bg.SYS
Address: 0xBA555000 Size: 417792 File Visible: No Signed: -
Status: -
Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF74A8000 Size: 187776 File Visible: - Signed: -
Status: -
Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -
Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xBA0C6000 Size: 138496 File Visible: - Signed: -
Status: -
Name: AmdLLD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
Address: 0xBA720000 Size: 61440 File Visible: - Signed: -
Status: -
Name: AmdTools.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AmdTools.sys
Address: 0xBA710000 Size: 61440 File Visible: - Signed: -
Status: -
Name: ASACPI.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ASACPI.sys
Address: 0xF799B000 Size: 5152 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0xF782A000 Size: 98304 File Visible: - Signed: -
Status: -
Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: - Signed: -
Status: -
Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -
Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79B3000 Size: 4224 File Visible: - Signed: -
Status: -
Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -
Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xF7467000 Size: 63744 File Visible: - Signed: -
Status: -
Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF7437000 Size: 62976 File Visible: - Signed: -
Status: -
Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7637000 Size: 53248 File Visible: - Signed: -
Status: -
Name: disk.sys
Image Path: disk.sys
Address: 0xF7627000 Size: 36352 File Visible: - Signed: -
Status: -
Name: dmio.sys
Image Path: dmio.sys
Address: 0xF7842000 Size: 153344 File Visible: - Signed: -
Status: -
Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798B000 Size: 5888 File Visible: - Signed: -
Status: -
Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB9FD8000 Size: 102400 File Visible: No Signed: -
Status: -
Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79D9000 Size: 8192 File Visible: No Signed: -
Status: -
Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xBA1BA000 Size: 12288 File Visible: - Signed: -
Status: -
Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000 Size: 73728 File Visible: - Signed: -
Status: -
Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7A9A000 Size: 4096 File Visible: - Signed: -
Status: -
Name: ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Address: 0xBA26A000 Size: 192512 File Visible: - Signed: -
Status: Hidden from the Windows API!
Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB92AD000 Size: 143744 File Visible: - Signed: -
Status: -
Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF7817000 Size: 27392 File Visible: - Signed: -
Status: -
Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xF7757000 Size: 20480 File Visible: - Signed: -
Status: -
Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7A2F000 Size: 129792 File Visible: - Signed: -
Status: -
Name: framebuf.dll
Image Path: C:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -
Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79AF000 Size: 7936 File Visible: - Signed: -
Status: -
Name: fsdfw.sys
Image Path: fsdfw.sys
Address: 0xF7B40000 Size: 73120 File Visible: - Signed: -
Status: -
Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF7868000 Size: 125056 File Visible: - Signed: -
Status: -
Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xF7417000 Size: 40960 File Visible: - Signed: -
Status: -
Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806FF000 Size: 134400 File Visible: - Signed: -
Status: -
Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xBA5BB000 Size: 163840 File Visible: - Signed: -
Status: -
Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDCLASS.SYS
Address: 0xF7477000 Size: 36864 File Visible: - Signed: -
Status: -
Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDPARSE.SYS
Address: 0xF777F000 Size: 28672 File Visible: - Signed: -
Status: -
Name: hidusb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBA6D0000 Size: 10368 File Visible: - Signed: -
Status: -
Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7447000 Size: 42112 File Visible: - Signed: -
Status: -
Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xBA110000 Size: 152832 File Visible: - Signed: -
Status: -
Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xBA18F000 Size: 75264 File Visible: - Signed: -
Status: -
Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 37248 File Visible: - Signed: -
Status: -
Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF780F000 Size: 24576 File Visible: - Signed: -
Status: -
Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xBA3FB000 Size: 14592 File Visible: - Signed: -
Status: -
Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -
Name: KID_LIB.sys
Image Path: C:\WINDOWS\System32\drivers\KID_LIB.sys
Address: 0xF7AA9000 Size: 4096 File Visible: - Signed: -
Status: -
Name: KID_SYS.sys
Image Path: C:\WINDOWS\System32\drivers\KID_SYS.sys
Address: 0xF79D3000 Size: 4896 File Visible: - Signed: -
Status: -
Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xBA665000 Size: 143360 File Visible: - Signed: -
Status: -
Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7A18000 Size: 92288 File Visible: - Signed: -
Status: -
Name: LHidKE.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LHidKE.Sys
Address: 0xBA319000 Size: 27264 File Visible: - Signed: -
Status: -
Name: LHidUsbK.Sys
Image Path: C:\WINDOWS\System32\Drivers\LHidUsbK.Sys
Address: 0xF7487000 Size: 36736 File Visible: - Signed: -
Status: -
Name: LMouKE.sys
Image Path: C:\WINDOWS\System32\Drivers\LMouKE.sys
Address: 0xBA019000 Size: 71680 File Visible: - Signed: -
Status: -
Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF773F000 Size: 23040 File Visible: - Signed: -
Status: -
Name: mouhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBA6C8000 Size: 12160 File Visible: - Signed: -
Status: -
Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7607000 Size: 42368 File Visible: - Signed: -
Status: -
Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xBA02B000 Size: 455296 File Visible: - Signed: -
Status: -
Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF77D7000 Size: 19072 File Visible: - Signed: -
Status: -
Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBA760000 Size: 35072 File Visible: - Signed: -
Status: -
Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA7EC000 Size: 15488 File Visible: - Signed: -
Status: -
Name: Mup.sys
Image Path: Mup.sys
Address: 0xF7AF9000 Size: 105344 File Visible: - Signed: -
Status: -
Name: NDIS.SYS
Image Path: C:\WINDOWS\System32\drivers\NDIS.SYS
Address: 0xF7B13000 Size: 182656 File Visible: - Signed: -
Status: -
Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA6C4000 Size: 10112 File Visible: - Signed: -
Status: -
Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB955E000 Size: 14592 File Visible: - Signed: -
Status: -
Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xBA53E000 Size: 91520 File Visible: - Signed: -
Status: -
Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7687000 Size: 40576 File Visible: - Signed: -
Status: -
Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF76E7000 Size: 34688 File Visible: - Signed: -
Status: -
Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xBA0E8000 Size: 162816 File Visible: - Signed: -
Status: -
Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF77E7000 Size: 30848 File Visible: - Signed: -
Status: -
Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574976 File Visible: - Signed: -
Status: -
Name: ntoskrnl.exe
Image Path: C:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -
Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7A98000 Size: 2944 File Visible: - Signed: -
Status: -
Name: nvata.sys
Image Path: nvata.sys
Address: 0xF796E000 Size: 100736 File Visible: - Signed: -
Status: -
Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xF76A7000 Size: 34176 File Visible: - Signed: -
Status: -
Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xBA7E8000 Size: 13056 File Visible: - Signed: -
Status: -
Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xBA61A000 Size: 307200 File Visible: - Signed: -
Status: -
Name: NVSNPU.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVSNPU.SYS
Address: 0xBA5E3000 Size: 225280 File Visible: - Signed: -
Status: -
Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: - Signed: -
Status: -
Name: pci.sys
Image Path: pci.sys
Address: 0xF7497000 Size: 68224 File Visible: - Signed: -
Status: -
Name: PCI_NTPNP3048
Image Path: \Driver\PCI_NTPNP3048
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -
Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -
Status: -
Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -
Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -
Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xBA52D000 Size: 69120 File Visible: - Signed: -
Status: -
Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF779F000 Size: 17792 File Visible: - Signed: -
Status: -
Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7647000 Size: 36320 File Visible: - Signed: -
Status: -
Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBA3E7000 Size: 8832 File Visible: - Signed: -
Status: -
Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBA790000 Size: 51328 File Visible: - Signed: -
Status: -
Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBA780000 Size: 41472 File Visible: - Signed: -
Status: -
Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBA770000 Size: 48384 File Visible: - Signed: -
Status: -
Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF77AF000 Size: 16512 File Visible: - Signed: -
Status: -
Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -
Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xBA09B000 Size: 175744 File Visible: - Signed: -
Status: -
Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79B7000 Size: 4224 File Visible: - Signed: -
Status: -
Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xBA4FD000 Size: 196224 File Visible: - Signed: -
Status: -
Name: RDPWD.SYS
Image Path: C:\WINDOWS\System32\Drivers\RDPWD.SYS
Address: 0xB92D1000 Size: 139520 File Visible: - Signed: -
Status: -
Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF7427000 Size: 57600 File Visible: - Signed: -
Status: -
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB9496000 Size: 49152 File Visible: No Signed: -
Status: -
Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xF74D6000 Size: 98304 File Visible: - Signed: -
Status: -
Name: sptd.sys
Image Path: sptd.sys
Address: 0xF74EE000 Size: 950272 File Visible: - Signed: -
Status: -
Name: sr.sys
Image Path: sr.sys
Address: 0xF795C000 Size: 73472 File Visible: - Signed: -
Status: -
Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB9394000 Size: 333952 File Visible: - Signed: -
Status: -
Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF79A1000 Size: 4352 File Visible: - Signed: -
Status: -
Name: tap0801.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tap0801.sys
Address: 0xBA750000 Size: 45056 File Visible: - Signed: -
Status: -
Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xBA136000 Size: 361600 File Visible: - Signed: -
Status: -
Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7777000 Size: 20480 File Visible: - Signed: -
Status: -
Name: TDTCP.SYS
Image Path: C:\WINDOWS\System32\Drivers\TDTCP.SYS
Address: 0xBA309000 Size: 21760 File Visible: - Signed: -
Status: -
Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBA740000 Size: 40704 File Visible: - Signed: -
Status: -
Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xBA3FF000 Size: 384768 File Visible: - Signed: -
Status: -
Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xBA351000 Size: 32128 File Visible: - Signed: -
Status: -
Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF79A7000 Size: 8192 File Visible: - Signed: -
Status: -
Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF7717000 Size: 30208 File Visible: - Signed: -
Status: -
Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7657000 Size: 59520 File Visible: - Signed: -
Status: -
Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF77F7000 Size: 17152 File Visible: - Signed: -
Status: -
Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xBA688000 Size: 147456 File Visible: - Signed: -
Status: -
Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xF778F000 Size: 20992 File Visible: - Signed: -
Status: -
Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xBA2B9000 Size: 81920 File Visible: - Signed: -
Status: -
Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7617000 Size: 52352 File Visible: - Signed: -
Status: -
Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xF77FF000 Size: 20480 File Visible: - Signed: -
Status: -
Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -
Name: WmBEnum.sys
Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xBA7E4000 Size: 12672 File Visible: - Signed: -
Status: -
Name: WmFilter.sys
Image Path: C:\WINDOWS\system32\drivers\WmFilter.sys
Address: 0xBA341000 Size: 23296 File Visible: - Signed: -
Status: -
Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -
Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2260992 File Visible: - Signed: -
Status: -
Name: WmXlCore.sys
Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xBA730000 Size: 44928 File Visible: - Signed: -
Status: -
 
Back to Top
nullptr View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Australia
Status: Offline
Points: 757
Post Options Post Options   Thanks (0) Thanks(0)   Quote nullptr Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 2:16pm
It would definitely be worth following A_D_13's advice in this thread.
Back to Top
controler View Drop Down
Senior Member
Senior Member


Joined: 01 October 2006
Status: Offline
Points: 222
Post Options Post Options   Thanks (0) Thanks(0)   Quote controler Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 3:39pm
AD
Why does RR show the long named sys file as signed? Isn't that an uncommon long name and malware?


Name: ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Image Path: C:\WINDOWS\system32\drivers\ESQULoqkqcemwasjmlqahydcgqxywwvhtxpbx.sys
Address: 0xBA26A000 Size: 192512 File Visible: - Signed: -
Status: Hidden from the Windows API!

After doing a search for that long driver file on Google it appears user is getting help from two other forums. Isn't it best to stick with one forum to get help and if that doesn't work out, then move?


http://www.geekstogo.com/forum/Some-kind-rootkit-trojan-dns-changer-redirect-etc-t245644.html

http://forums.spybot.info/showthread.php?p=322574


Edited by controler - 16 July 2009 at 3:51pm
Back to Top
a_d_13 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 September 2007
Status: Offline
Points: 268
Post Options Post Options   Thanks (0) Thanks(0)   Quote a_d_13 Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 3:58pm
Hello,

About the signing - it should not be showing as signed.  However, RootRepeal doesn't check if a file is signed if it isn't visible on-disk, because to verify the signature, the file needs to be accessible to the Windows API.  So, most likely, the file is indeed hidden or inaccessible and as such, the signature isn't checked.
@jaydee77ca - Please stick with one forum at a time, as it makes it difficult for people to help you if you are making changes from different people all at once.  GeeksToGo is a good forum - I'd recommend following their instructions.

Thanks,
--AD
Back to Top
jaydee77ca View Drop Down
Newbie
Newbie


Joined: 16 July 2009
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote jaydee77ca Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 5:52pm
Hi,

My apologies for posting in the other forums. Unhappy  I didn't realize that was incorrect.  I thought they had different users etc.  I was just trying to get help.  But now that you explain it (and I think about it) it makes sense.  How should I rectify the situation?  Should I just follow geekstogo then and request that the other forums close the threads/posts I have there?  I don't want to anger anyone Ermm

Thanks
Back to Top
a_d_13 View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 September 2007
Status: Offline
Points: 268
Post Options Post Options   Thanks (0) Thanks(0)   Quote a_d_13 Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 6:02pm
Hello,

No problem Smile.  Just post at the other forums that you were getting help from other places, but now that it's been pointed out to you, that you request they close the thread.  And, yes, post at GeeksToGo that you were previously getting help at other forums, but that you've requested that the other places close their threads, and that you are only following that thread now.

Thanks,
--AD
Back to Top
molotov View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 04 October 2006
Status: Offline
Points: 17516
Post Options Post Options   Thanks (0) Thanks(0)   Quote molotov Quote  Post ReplyReply Direct Link To This Post Posted: 16 July 2009 at 6:02pm
Now that the links to the discussion in the other forums have been provided, I would think that you could choose the one in which you are receiving the most helpful assistance and continue there (perhaps, make it known in the other two where you plan on focusing your attention)...
Daily affirmation:
net helpmsg 4006
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down