Inactive Iexplore.exe processes pop up, apparent rootkit infection

[DoktrMik]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/08/19 22:53
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ALSysIO.sys
Image Path: C:\DOCUME~1\[Name Removed]\LOCALS~1\Temp\ALSysIO.sys
Address: 0xB6B19000 Size: 28672 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6B49000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5CE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: jycjy.sys
Image Path: jycjy.sys
Address: 0xBA0A8000 Size: 61440 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5E4F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\hlktmp
Status: Allocation size mismatch (API: 33570816, Raw: 0)

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89ebc580

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89ebd100

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89ebcb30

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89ebbcc0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89ebbfc0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ebc9c0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89ebc860

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89ebc6e0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "<unknown>" at address 0x89eb9700

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89ebc420

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89ebc2c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89ebbe50

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89ebc150

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ebcf50

==EOF==

 

[Broni]

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  jycjy.sys
  hlktmp*
  :regfind
  hlktmp*
  jycjy*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[DoktrMik]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:17 on 20/08/2010 by [name removed] (Administrator - Elevation successful)

========== filefind ==========

Searching for "jycjy.sys"
No files found.

Searching for "hlktmp*"
C:\WINDOWS\Temp\hlktmp --a--- 0 bytes [14:05 12/12/2008] [23:14 20/08/2010] (Unable to calculate MD5)

========== regfind ==========

Searching for "hlktmp*"
No data found.

Searching for "jycjy*"
No data found.

-=End Of File=-

 

[Broni]

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\temp\hlktmp

Driver::
jycjy

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[DoktrMik]

Here's the log. Thank you, as always.

 

[Broni]

We'll try The Avenger, then....

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Drivers to delete:
jycjy.sys

Files to delete:
c:\windows\temp\hlktmp

Folders to delete:
c:\windows\temp

Registry Keys to delete:

2. Now, open the Avenger folder and start The Avenger program by clicking on its icon.

* Right click on the window under Input script here:, and select Paste.
* You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
* Click on Execute
* Answer "Yes" twice when prompted.


3. The Avenger will automatically do the following:

* It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

4. Please copy/paste the content of c:\avenger.txt into your reply

 

[DoktrMik]

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\jycjy.sys" not found!
Deletion of driver "jycjy.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\temp\hlktmp" deleted successfully.
Folder "c:\windows\temp" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

 

[DoktrMik]

Incidentally, I do notice that C:\Windows\TEMP\hlktmp was recreated...

 

[Broni]

1. Re-run SystemLook with the same script as in my reply #77

2. Re-run RootRepeal.

 

[Broni]

I did some more research and, at least partially, we're chasing a wrong demon.

c:\windows\temp\hlktmp

hlktmp seems to be an innocent file.
According to this: http://www.siteadvisor.at/sites/proracingsim.com/downloads/8592155/, it's a part of Aladdin HASP HL dongle emulator by http://www.proracingsim.com/support.htm

I still want to see new RootRepeal log though.

 

[DoktrMik]

Sorry for the delay....

I think I'm coming pretty close to just doing a complete reinstall of my system at this point. I've burned so many hours on this I just want it to be resolved. I really appreciate your help, and I'm willing to persevere a little more in the hope that we'll find the answer.

Here's the SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:19 on 22/08/2010 by [name removed] (Administrator - Elevation successful)

========== filefind ==========

Searching for "jycjy.sys"
No files found.

Searching for "hlktmp*"
C:\Qoobox\Quarantine\C\WINDOWS\Temp\hlktmp.vir --a--- 8405015 bytes [14:05 12/12/2008] [23:14 20/08/2010] B9D1AA29C12F5BC65940E00201CC4C17
C:\WINDOWS\TEMP\hlktmp --a--- 0 bytes [00:06 21/08/2010] [20:16 22/08/2010] (Unable to calculate MD5)

========== regfind ==========

Searching for "hlktmp*"
No data found.

Searching for "jycjy*"
No data found.

-=End Of File=-

 

[DoktrMik]

Oh, and while I'm getting the RootRepeal log, on that file you mentioned: I have no idea what that product/application is you mentioned, nor why I might have it installed (Aladdin HASP HL dongle emulator). I really have never heard of it.

 

[Broni]

At this point, it really doesn't matter, since it's a safe file.

I think I'm coming pretty close to just doing a complete reinstall of my system at this point.

Unfortunately, I'm running out of tools and ideas here.
It's really puzzling case.

I want to give it one more shot, though...

1. Download and save HelpAsst_mebroot_fix.exe to your desktop.

• Close all open programs.
• Double click HelpAsst_mebroot_fix.exe to run it.
• Pay attention to the running tool.
• If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
• After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:
  • 
    helpasst -mbrt
• When it completes, a log will open.
• Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

• Click Start>Run and copy and paste the following command, then hit Enter:
  • 
    mbr -f
• Repeat the above step one more time
• Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
• Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.
  • 
    helpasst -mbrt
    
• When it completes, a log will open.
• Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

2.

• Please download Rootkit Unhooker . Save it to your desktop.
• Now double-click on RKUnhookerLE.exe to run it.
• Click the Report tab, then click Scan.
• Checkmark Drivers, Stealth. Uncheck the rest. Click OK.
• Wait till the scanner has finished and then click File, Save Report.
• Save the report to some known location. Click Close.
  

Copy the entire content of the report and paste it in a reply here.

Note. You may get this warning it is ok, just ignore it:
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

 

[DoktrMik]

Well, I didn't see your reply and ran RootRepeal anyway. I'll follow the next steps now.


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/08/22 16:28
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ALSysIO.sys
Image Path: C:\DOCUME~1\[name removed]\LOCALS~1\Temp\ALSysIO.sys
Address: 0xBA448000 Size: 28672 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB6B0F000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA5CA000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB63DC000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\hlktmp
Status: Allocation size mismatch (API: 33570816, Raw: 0)

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x89ec5580

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x89ec6100

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x89ec5b30

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x89ec4cc0

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x89ec4fc0

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ec59c0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89ec5860

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x89ec56e0

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "<unknown>" at address 0x89ec2700

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x89ec5420

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x89ec52c0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x89ec4e50

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x89ec5150

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89ec5f50

==EOF==

 

[Broni]

Strangely enough, that mysterious jycjy driver is not listed anymore.

 

[DoktrMik]

Sorry, I should have mentioned - I went through add/remove programs and uninstalled a few old applications or things I don't want any more. I may have removed it (or not, I'm not sure what it was).

C:\Documents and Settings\[name removed]\Desktop\HelpAsst_mebroot_fix.exe
Sun 08/22/2010 at 17:08:47.93

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 08/22/2010 at 17:23:39.40

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

 

[DoktrMik]

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
>Drivers
==============================================
0xB96DE000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6283264 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 182.50 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6189056 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 182.50 )
0xB6EC3000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4845568 bytes (Realtek Semiconductor Corp., Realtek(r) High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xB66CD000 C:\WINDOWS\system32\DRIVERS\eamon.sys 835584 bytes (ESET, Amon monitor)
0xB60AF000 C:\WINDOWS\system32\drivers\hardlock.sys 696320 bytes (Aladdin Knowledge Systems Ltd., Hardlock Device Driver for Windows NT)
0xB9E1D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB62E9000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 544768 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xB6B41000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys 503808 bytes (Microsoft Corporation, WDF Dynamic)
0xB6C84000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB94B2000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB6DCA000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xB600C000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB58BB000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB9510000 C:\WINDOWS\System32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB6498000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9DF0000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB55F6000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xB6CF4000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB967E000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows (R) Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB6D7C000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB6DA4000 C:\WINDOWS\System32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB608B000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xB9608000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB96A6000 C:\WINDOWS\System32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB9647000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB6D41000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB6D1F000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9ED3000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB5F77000 C:\Program Files\CyberLink\PowerDVD8\000.fcl 118784 bytes (Cyberlink Corp., FCL Driver)
0xB6E56000 C:\WINDOWS\system32\DRIVERS\ehdrv.sys 118784 bytes (ESET, ESET Helper driver)
0xB962C000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 110592 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xB9DD6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB6D63000 C:\WINDOWS\system32\DRIVERS\epfwtdir.sys 102400 bytes (ESET, ESET Antivirus Network Redirector)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB6B29000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EF3000 C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9EAA000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB95F1000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB5BF2000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB966A000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB96CA000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB6E23000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB645E000 C:\WINDOWS\System32\Drivers\SENTINEL.SYS 73728 bytes (Rainbow Technologies, Inc., Sentinel System Driver (NT Parallel driver))
0xB9EC1000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9540000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA1D8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA238000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA0F8000 jraid.sys 65536 bytes (JMicron Technology Corp., JMicron JMB36X RAID Driver)
0xBA0A8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA218000 C:\WINDOWS\System32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB64C5000 C:\WINDOWS\system32\Drivers\DgiVecp.sys 61440 bytes (Samsung Electronics Co., Ltd., Windows 2k,XP IEEE-1284 parallel class driver for ECP, Byte, and Nibble modes)
0xBA268000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA248000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB5F67000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA2F8000 C:\WINDOWS\System32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0B8000 C:\WINDOWS\System32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

 

[DoktrMik]

0xBA118000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA278000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0xB6BDC000 C:\WINDOWS\system32\drivers\Haspnt.sys 49152 bytes (Aladdin Knowledge Systems, HASP Kernel Device Driver for Windows NT)
0xBA298000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xBA198000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA228000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA288000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0C8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA2D8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA2B8000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA108000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA208000 C:\WINDOWS\System32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA2A8000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xBA178000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xB5793000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA258000 C:\WINDOWS\system32\drivers\povrtdev.sys 36864 bytes (MediaMall Technologies, Inc., PlayOn Virtual Audio Device)
0xBA128000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA168000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA3A0000 C:\WINDOWS\system32\ANIO.SYS 32768 bytes (-, ANIO (NT5) Driver )
0xBA460000 C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)
0xBA468000 C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)
0xBA440000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA458000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3D8000 C:\DOCUME~1\MIKEAT~1\LOCALS~1\Temp\ALSysIO.sys 28672 bytes
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA3E0000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA408000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA4B0000 C:\DOCUME~1\[name removed]\LOCALS~1\Temp\mbr.sys 24576 bytes
0xBA410000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA450000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA3C0000 C:\WINDOWS\System32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xBA430000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xBA438000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F8000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA400000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel(R) mini-port/call-manager driver)
0xBA3F0000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA470000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xB736A000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D72000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB67E1000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9D96000 C:\WINDOWS\System32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB6EB3000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB7372000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xB7366000 C:\WINDOWS\System32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D8A000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xB949E000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA5BC000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5C6000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA5BA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA5C0000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA5E0000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA5C2000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5B4000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5B6000 C:\WINDOWS\System32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\System32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA737000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA73F000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA776000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xBA79D000 C:\WINDOWS\System32\Drivers\PQNTDrv.SYS 4096 bytes (PowerQuest Corporation, PowerQuest Boot Mode Driver.)
==============================================
>Stealth
==============================================
0x8A315F53 Unknown page with executable code, 173 bytes

 

[Broni]

I still see nothing suspicious...grrrrrrrrrrrrr

I want to see those iexplore.exe running.
Make sure, IE is closed and....

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

 

[DoktrMik]

I thought for sure that 'Unknown page' stealth message was something bad.

Here's an interesting thing that I'm 90% sure is happening: I have mentioned before that usually the processes appear within 1-2 min of connecting to the internet, but sometime they take 10-30 minutes. I thought for a while that there was a connection between the driver (e.g. wireless vs. ethernet) and whether the process appeared at all, but that is not true. Eventually, they always arrive.

But here's the thing...each time it's taken longer I've noticed a dllhost.exe process appear for a short time (30-45s) then disappear before the iexplore.exe processes come up. I've done a lot of watching of these things to come up, and this time it was doing exactly this.

Too late I realized that the process explorer info on that process might have been useful, but I didn't think until it was gone. I'll try to get this next time.

Here's the process explorer log snippet. Full file is attached.

iexplore.exe 2828 Internet Explorer Microsoft Corporation 6:20:09 PM 8/22/2010 7,284 K 86,464 K open about:blank
iexplore.exe 2344 Internet Explorer Microsoft Corporation 6:20:09 PM 8/22/2010 33,792 K 164,804 K "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:79873

If I kill either one, the pair disappears, but another pair shortly reappears.

 

[Broni]

You already have SystemLook, so you don't have to download it...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  dllhost.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[Broni]

One more thing...

Did we check, if iexplore comes up in Safe Mode with Networking?

 

[DoktrMik]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 18:33 on 22/08/2010 by [name removed] (Administrator - Elevation successful)

========== filefind ==========

Searching for "dllhost.exe"
C:\WINDOWS\$NtServicePackUninstall$\dllhost.exe -----c 5120 bytes [17:27 06/07/2008] [07:56 04/08/2004] DD87DB7387B9EB441C5674888A0D840C
C:\WINDOWS\ServicePackFiles\i386\dllhost.exe ------ 5120 bytes [07:56 04/08/2004] [00:12 14/04/2008] 0A9BA6AF531AFE7FA5E4FB973852D863
C:\WINDOWS\system32\dllhost.exe --a--- 5120 bytes [12:00 18/08/2001] [00:12 14/04/2008] 0A9BA6AF531AFE7FA5E4FB973852D863

-=End Of File=-

 

[DoktrMik]

We didn't check safe mode, but I can do that...

 

[Broni]

Go ahead, please...

dllhost.exe location looks fine....