Rootkit Ntoskrnl EXEL
Table of Contents
I'm not sure how my DELL XPS M1530 laptop got the NTOSKRNL-HOOK Trojan, but it might have been from repeatedly downloading different versions of the same game in order to extend the free trial.
- Image Identification
- Processes and DLLs
- Process Memory
- Kernel Memory and Objects
- Networking
- Registry
- Crash Dumps, Hibernation, and Conversion
- File System
- Miscellaneous
Oct 13, 2012. Hello, Ran the usual once a week AVG scan and it says I have some type of rootkit. DllUnload -> spbs.sys +0x5E360';'Object is hidden';'C: Windows System32 Drivers spbs.sys';'pci.sys, hooked import ntoskrnl.exe IoAttachDeviceToDeviceStack -> spbs.sys +0x62650';'Object is hidden'. However, before that, I'd like to transfer some files (pictures, iTunes music library, various documents - MS Word, Excel, Publisher, Adobe PDF, etc.) from the old computer to the new one using my external hard drive. Of course, I want to be sure that I don't end up infecting my new computer by doing this.
imageinfo
For a high level summary of the memory sample you're analyzing, use the imageinfo command. Most often this command is used to identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected.
The imageinfo output tells you the suggested profile that you should pass as the parameter to --profile=PROFILE when using other plugins. There may be more than one profile suggestion if profiles are closely related. It also prints the address of the KDBG (short for _KDDEBUGGER_DATA64) structure that will be used by plugins like pslist and modules to find the process and module list heads, respectively. In some cases, especially larger memory samples, there may be multiple KDBG structures. Similarly, if there are multiple processors, you'll see the KPCR address and CPU number for each one.
Plugins automatically scan for the KPCR and KDBG values when they need them. However, you can specify the values directly for any plugin by providing --kpcr=ADDRESS or --kdbg=ADDRESS. By supplying the profile and KDBG (or failing that KPCR) to other Volatility commands, you'll get the most accurate and fastest results possible.
Note: The imageinfo plugin will not work on hibernation files unless the correct profile is given in advance. This is because important structure definitions vary between different operating systems.
kdbgscan
As opposed to imageinfo which simply provides profile suggestions, kdbgscan is designed to positively identify the correct profile and the correct KDBG address (if there happen to be multiple). This plugin scans for the KDBGHeader signatures linked to Volatility profiles and applies sanity checks to reduce false positives. The verbosity of the output and number of sanity checks that can be performed depends on whether Volatility can find a DTB, so if you already know the correct profile (or if you have a profile suggestion from imageinfo), then make sure you use it.
Here's an example scenario of when this plugin can be useful. You have a memory sample that you believe to be Windows 2003 SP2 x64, but pslist doesn't show any processes. The pslist plugin relies on finding the process list head which is pointed to by KDBG. However, the plugin takes the first KDBG found in the memory sample, which is not always the best one. You may run into this problem if a KDBG with an invalid PsActiveProcessHead pointer is found earlier in a sample (i.e. at a lower physical offset) than the valid KDBG.
Notice below how kdbgscan picks up two KDBG structures: an invalid one (with 0 processes and 0 modules) is found first at 0xf80001172cb0 and a valid one (with 37 processes and 116 modules) is found next at 0xf80001175cf0. In order to 'fix' pslist for this sample, you would simply need to supply the --kdbg=0xf80001175cf0 to the plist plugin.
For more information on how KDBG structures are identified read Finding Kernel Global Variables in Windows and Identifying Memory Images
kpcrscan
Use this command to scan for potential KPCR structures by checking for the self-referencing members as described by Finding Object Roots in Vista. On a multi-core system, each processor has its own KPCR. Therefore, you'll see details for each processor, including IDT and GDT address; current, idle, and next threads; CPU number, vendor & speed; and CR3 value.
If the KdVersionBlock is not null, then it may be possible to find the machine's KDBG address via the KPCR. In fact, the backup method of finding KDBG used by plugins such as pslist is to leverage kpcrscan and then call the KPCR.get_kdbg() API function.
pslist
To list the processes of a system, use the pslist command. This walks the doubly-linked list pointed to by PsActiveProcessHead and shows the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started and exited. As of 2.1 it also shows the Session ID and if the process is a Wow64 process (it uses a 32 bit address space on a 64 bit kernel).
This plugin does not detect hidden or unlinked processes (but psscan can do that).
If you see processes with 0 threads, 0 handles, and/or a non-empty exit time, the process may not actually still be active. For more information, see The Missing Active in PsActiveProcessHead. Below, you'll notice regsvr32.exe has terminated even though its still in the 'active' list.
Also note the two processes System and smss.exe will not have a Session ID, because System starts before sessions are established and smss.exe is the session manager itself.
By default, pslist shows virtual offsets for the _EPROCESS but the physical offset can be obtained with the -P switch:
pstree
To view the process listing in tree form, use the pstree command. This enumerates processes using the same technique as pslist, so it will also not show hidden or unlinked processes. Child process are indicated using indention and periods.
psscan
To enumerate processes using pool tag scanning (_POOL_HEADER), use the psscan command. This can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit. The downside is that rootkits can still hide by overwriting the pool tag values (though not commonly seen in the wild).
If a process has previously terminated, the Time exited field will show the exit time. If you want to investigate a hidden process (such as displaying its DLLs), then you'll need physical offset of the _EPROCESS object, which is shown in the far left column. Almost all process-related plugins take a --OFFSET parameter so that you can work with hidden processes.
psdispscan
This plugin is similar to psscan, except it enumerates processes by scanning for DISPATCHER_HEADER instead of pool tags. This gives you an alternate way to carve _EPROCESS objects in the event an attacker tried to hide by altering pool tags. This plugin is not well maintained and only supports XP x86. To use it, you must type --plugins=contrib/plugins on command-line.
dlllist
To display a process's loaded DLLs, use the dlllist command. It walks the doubly-linked list of _LDR_DATA_TABLE_ENTRY structures which is pointed to by the PEB's InLoadOrderModuleList. DLLs are automatically added to this list when a process calls LoadLibrary (or some derivative such as LdrLoadDll) and they aren't removed until FreeLibrary is called and the reference count reaches zero. The load count column tells you if a DLL was statically loaded (i.e. as a result of being in the exe or another DLL's import table) or dynamically loaded.
To display the DLLs for a specific process instead of all processes, use the -p or --pid filter as shown below. Also, in the following output, notice we're analyzing a Wow64 process. Wow64 processes have a limited list of DLLs in the PEB lists, but that doesn't mean they're the only DLLs loaded in the process address space. Thus Volatility will remind you to use the ldrmodules instead for these processes.
To display the DLLs for a process that is hidden or unlinked by a rootkit, first use the psscan to get the physical offset of the EPROCESS object and supply it with --offset=OFFSET. The plugin will 'bounce back' and determine the virtual address of the EPROCESS and then acquire an address space in order to access the PEB.
dlldump
To extract a DLL from a process's memory space and dump it to disk for analysis, use the dlldump command. The syntax is nearly the same as what we've shown for dlllist above. You can:
- Dump all DLLs from all processes
- Dump all DLLs from a specific process (with
--pid=PID) - Dump all DLLs from a hidden/unlinked process (with
--offset=OFFSET) - Dump a PE from anywhere in process memory (with
--base=BASEADDR), this option is useful for extracting hidden DLLs - Dump one or more DLLs that match a regular expression (
--regex=REGEX), case sensitive or not (--ignore-case)
To specify an output directory, use --dump-dir=DIR or -d DIR.
If the extraction fails, as it did for a few DLLs above, it probably means that some of the memory pages in that DLL were not memory resident (due to paging). In particular, this is a problem if the first page containing the PE header and thus the PE section mappings is not available. In these cases you can still extract the memory segment using the vaddump command, but you'll need to manually rebuild the PE header and fixup the sections (if you plan on analyzing in IDA Pro) as described in Recovering CoreFlood Binaries with Volatility.
To dump a PE file that doesn't exist in the DLLs list (for example, due to code injection or malicious unlinking), just specify the base address of the PE in process memory:
You can also specify an EPROCESS offset if the DLL you want is in a hidden process:
handles
To display the open handles in a process, use the handles command. This applies to files, registry keys, mutexes, named pipes, events, window stations, desktops, threads, and all other types of securable executive objects. As of 2.1, the output includes handle value and granted access for each object.
You can display handles for a particular process by specifying --pid=PID or the physical offset of an _EPROCESS structure (--physical-offset=OFFSET). You can also filter by object type using -t or --object-type=OBJECTTYPE. For example to only display handles to process objects for pid 600, do the following:
The object type can be any of the names printed by the 'object ObjectTypes' windbg command (see Enumerate Object Types for more details.
In some cases, the Details column will be blank (for example, if the objects don't have names). By default, you'll see both named and un-named objects. However, if you want to hide the less meaningful results and only show named objects, use the --silent parameter to this plugin.
getsids
To view the SIDs (Security Identifiers) associated with a process, use the getsids command. Among other things, this can help you identify processes which have maliciously escalated privileges and which processes belong to specific users.
For more information, see BDG's Linking Processes To Users.
cmdscan
The cmdscan plugin searches the memory of csrss.exe on XP/2003/Vista/2008 and conhost.exe on Windows 7 for commands that attackers entered through a console shell (cmd.exe). This is one of the most powerful commands you can use to gain visibility into an attackers actions on a victim system, whether they opened cmd.exe through an RDP session or proxied input/output to a command shell from a networked backdoor.
This plugin finds structures known as COMMAND_HISTORY by looking for a known constant value (MaxHistory) and then applying sanity checks. It is important to note that the MaxHistory value can be changed by right clicking in the top left of a cmd.exe window and going to Properties. The value can also be changed for all consoles opened by a given user by modifying the registry key HKCUConsoleHistoryBufferSize. The default is 50 on Windows systems, meaning the most recent 50 commands are saved. You can tweak it if needed by using the --max_history=NUMBER parameter.
The structures used by this plugin are not public (i.e. Microsoft does not produce PDBs for them), thus they're not available in WinDBG or any other forensic framework. They were reverse engineered by Michael Ligh from the conhost.exe and winsrv.dll binaries.
In addition to the commands entered into a shell, this plugin shows:
- The name of the console host process (csrss.exe or conhost.exe)
- The name of the application using the console (whatever process is using cmd.exe)
- The location of the command history buffers, including the current buffer count, last added command, and last displayed command
- The application process handle
Due to the scanning technique this plugin uses, it has the capability to find commands from both active and closed consoles.
For background information, see Richard Stevens and Eoghan Casey's Extracting Windows Cmd Line Details from Physical Memory.
consoles
Similar to cmdscan the consoles plugin finds commands that attackers typed into cmd.exe or executed via backdoors. However, instead of scanning for COMMAND_HISTORY, this plugin scans for CONSOLE_INFORMATION. The major advantage to this plugin is it not only prints the commands attackers typed, but it collects the entire screen buffer (input and output). For instance, instead of just seeing 'dir', you'll see exactly what the attacker saw, including all files and directories listed by the 'dir' command.
Additionally, this plugin prints the following:
- The original console window title and current console window title
- The name and pid of attached processes (walks a LIST_ENTRY to enumerate all of them if more than one)
- Any aliases associated with the commands executed. For example, attackers can register an alias such that typing 'hello' actually executes 'cd system'
- The screen coordinates of the cmd.exe console
Here's an example of the consoles command. Below, you'll notice something quite funny. The forensic investigator seems to have lost his mind and cannot find the dd.exe tool for dumping memory. Nearly 20 typos later, he finds the tool and uses it.
privs
This plugin shows you which process privileges are present, enabled, and/or enabled by default. You can pass it the --silent flag to only show privileges that a process explicitly enabled (i.e. that were were not enabled by default but are currently enabled). The --regex=REGEX parameter can be used to filter for specific privilege names.
envars
To display a process's environment variables, use the envars plugin. Typically this will show the number of CPUs installed and the hardware architecture (though the kdbgscan output is a much more reliable source), the process's current directory, temporary directory, session name, computer name, user name, and various other interesting artifacts.
verinfo
To display the version information embedded in PE files, use the verinfo command. Not all PE files have version information, and many malware authors forge it to include false data, but nonetheless this command can be very helpful with identifying binaries and for making correlations with other files.
This plugin only supports printing version information from process executables and DLLs, but later will be expanded to include kernel modules. If you want to filter by module name, use the --regex=REGEX and/or --ignore-case options.
enumfunc
This plugin enumerates imported and exported functions from processes, dlls, and kernel drivers. Specifically, it handles functions imported by name or ordinal, functions exported by name or ordinal, and forwarded exports. The output will be very verbose in most cases (functions exported by ntdll, msvcrt, and kernel32 can reach 1000+ alone). So you can either reduce the verbosity by filtering criteria with the command-line options (shown below) or you can use look at the code in enumfunc.py and use it as an example of how to use the IAT and EAT parsing API functions in your own plugin. For example, the apihooks plugin leverages the imports and exports APIs to find functions in memory when checking for hooks.
Also note this plugin is in the contrib directory, so you can pass that to --plugins like this:
To use pool scanners for finding processes and kernel drivers instead of walking linked lists, use the -s option. This can be useful if you're trying to enumerate functions in hidden processes or drivers. An example of the remaining command-line options is shown below.
To show exported functions in process memory, use -P and -E like this:
To show imported functions in kernel memory, use -K and -I like this:
memmap
The memmap command shows you exactly which pages are memory resident, given a specific process DTB (or kernel DTB if you use this plugin on the Idle or System process). It shows you the virtual address of the page, the corresponding physical offset of the page, and the size of the page. The map information generated by this plugin comes from the underlying address space's get_available_addresses method.
As of 2.1, the new column DumpFileOffset helps you correlate the output of memmap with the dump file produced by the memdump plugin. For example, according to the output below, the page at virtual address 0x0000000000058000 in the System process's memory can be found at offset 0x00000000162ed000 of the win7_trial_64bit.raw file. After using memdump to extract the addressable memory of the System process to an individual file, you can find this page at offset 0x8000.
memdump
To extract all memory resident pages in a process (see memmap for details) into an individual file, use the memdump command. Supply the output directory with -D or --dump-dir=DIR.
To conclude the demonstration we began in the memmap discussion, we should now be able to make an assertion regarding the relationship of the mapped and extracted pages:
procdump
To dump a process's executable, use the procdump command. Optionally, pass the --unsafe or -u flags to bypass certain sanity checks used when parsing the PE header. Some malware will intentionally forge size fields in the PE header so that memory dumping tools fail.
Use --memory to include slack space between the PE sections that aren't page aligned. Without --memory you'll get a file that more closely resembles the file on disk, before sections expanded.
For more information, see Andreas Schuster's 4-part series on Reconstructing a Binary. Also see impscan for help rebuilding a binary's import address table.
vadinfo
The vadinfo command displays extended information about a process's VAD nodes. In particular, it shows:
- The address of the MMVAD structure in kernel memory
- The starting and ending virtual addresses in process memory that the MMVAD structure pertains to
- The VAD Tag
- The VAD flags, control flags, etc
- The name of the memory mapped file (if one exists)
- The memory protection constant (permissions). Note there is a difference between the original protection and current protection. The original protection is derived from the flProtect parameter to VirtualAlloc. For example you can reserve memory (MEM_RESERVE) with protection PAGE_NOACCESS (original protection). Later, you can call VirtualAlloc again to commit (MEM_COMMIT) and specify PAGE_READWRITE (becomes current protection). The vadinfo command shows the original protection only. Thus, just because you see PAGE_NOACCESS here, it doesn't mean code in the region cannot be read, written, or executed.
For more information on the VAD, see BDG's The VAD Tree: A Process-Eye View of Physical Memory.
vadwalk
To inspect a process's VAD nodes in table form, use the vadwalk command.
vadtree
To display the VAD nodes in a visual tree form, use the vadtree command.
If you want to view the balanced binary tree in Graphviz format, just add --output=dot --output-file=graph.dot to your command. Then you can open graph.dot in any Graphviz-compatible viewer. This plugin also supports color coding the output based on the regions that contain stacks, heaps, mapped files, DLLs, etc. A partial example is shown below using Omnigraffle:
Fillcolor Legend:
- Red: Heaps
- Gray: DLLs
- Green: Stacks
- Yellow: Mapped Files
vaddump
To extract the range of pages described by a VAD node, use the vaddump command. This is similar to memdump, except the pages belonging to each VAD node are placed in separate files (named according to the starting and ending addresses) instead of one large conglomerate file. If any pages in the range are not memory resident, they're padded with 0's using the address space's zread() method.
The files are named like this:
ProcessName.PhysicalOffset.StartingVPN.EndingVPN.dmp
The reason the PhysicalOffset field exists is so you can distinguish between two processes with the same name.
evtlogs
The evtlogs command extracts and parses binary event logs from memory. Binary event logs are found on Windows XP and 2003 machines, therefore this plugin only works on these architectures. These files are extracted from VAD of the services.exe process, parsed and dumped to a specified location.
There is also an option (--save-evt) to dump raw event logs for parsing with external tools:
Parsed output is pipe delimited to make it easier to import into excel files and the 'messages' are separated by semicolons:
If the --verbose flag is used, SIDs are also evaluated and placed in the parsed output instead of the defaulting raw SID. This action takes longer to run, since the plugin has to calculate each of the service SID and user SID from registry entries.
iehistory
This plugin recovers fragments of IE history index.dat cache files. It can find basic accessed links (via FTP or HTTP), redirected links (--REDR), and deleted entries (--LEAK). It applies to any process which loads and uses the wininet.dll library, not just Internet Explorer. Typically that includes Windows Explorer and even malware samples. For more information, see HowTo: Scan for Internet Cache/History and URLs.
modules
To view the list of kernel drivers loaded on the system, use the modules command. This walks the doubly-linked list of LDR_DATA_TABLE_ENTRY structures pointed to by PsLoadedModuleList. Similar to the pslist command, this relies on finding the KDBG structure. In rare cases, you may need to use kdbgscan to find the most appropriate KDBG structure address and then supply it to this plugin like --kdbg=ADDRESS.
It cannot find hidden/unlinked kernel drivers, however modscan serves that purpose. Also, since this plugin uses list walking techniques, you typically can assume that the order the modules are displayed in the output is the order they were loaded on the system. For example, below, ntoskrnl.exe was first to load, followed by hal.dll, etc.
The output shows the offset of the LDR_DATA_TABLE_ENTRY structure, which is a virtual address by default but can be specified as a physical address with the -P switch as shown below. In either case, the Base column is the virtual address of the module's base in kernel memory (where you'd expect to find the PE header).
modscan
The modscan command finds LDR_DATA_TABLE_ENTRY structures by scanning physical memory for pool tags. This can pick up previously unloaded drivers and drivers that have been hidden/unlinked by rootkits. Unlike modules the order of results has no relationship with the order in which the drivers loaded. As you can see below, DumpIt.sys was found at the lowest physical offset, but it was probably one of the last drivers to load (since it was used to acquire memory).
moddump
To extract a kernel driver to a file, use the moddump command. Supply the output directory with -D or --dump-dir=DIR. Without any additional parameters, all drivers identified by modlist will be dumped. If you want a specific driver, supply a regular expression of the driver's name with --regex=REGEX or the module's base address with --base=BASE.
For more information, see BDG's Plugin Post: Moddump.
Similar to dlldump, if critical parts of the PE header are not memory resident, then rebuilding/extracting the driver may fail. Additionally, for drivers that are mapped in different sessions (like win32k.sys), there is currently no way to specify which session to use when acquiring the driver sample.
ssdt
To list the functions in the Native and GUI SSDTs, use the ssdt command. This displays the index, function name, and owning driver for each entry in the SSDT. Please note the following:
Windows has 4 SSDTs by default (you can add more with KeAddSystemServiceTable), but only 2 of them are used - one for Native functions in the NT module, and one for GUI functions in the win32k.sys module.
There are multiple ways to locate the SSDTs in memory. Most tools do it by finding the exported KeServiceDescriptorTable symbol in the NT module, but this is not the way Volatility works.
For x86 systems, Volatility scans for ETHREAD objects (see the thrdscan command) and gathers all unique ETHREAD.Tcb.ServiceTable pointers. This method is more robust and complete, because it can detect when rootkits make copies of the existing SSDTs and assign them to particular threads. Also see the threads command.
For x64 systems (which do not have an ETHREAD.Tcb.ServiceTable member) Volatility disassembles code in ntKeAddSystemServiceTable and finds its references to the KeServiceDescriptorTable and KeServiceDescriptorTableShadow symbols.
The order and total number of functions in the SSDTs differ across operating system versions. Thus, Volatility stores the information in a per-profile (OS) dictionary which is auto-generated and cross-referenced using the ntoskrnl.exe, ntdll.dll, win32k.sys, user32.dll and gdi32.dll modules from the respective systems.
For more information, see BDG's Auditing the System Call Table.
To filter all functions which point to ntoskrnl.exe and win32k.sys, you can use egrep on command-line. This will only show hooked SSDT functions.
Note that the NT module on your system may be ntkrnlpa.exe or ntkrnlmp.exe - so check that before using egrep of you'll be filtering the wrong module name. Also be aware that this isn't a hardened technique for finding hooks, as malware can load a driver named win32ktesting.sys and bypass your filter.
driverscan
To find DRIVER_OBJECTs in physical memory using pool tag scanning, use the driverscan command. This is another way to locate kernel modules, although not all kernel modules have an associated DRIVER_OBJECT. The DRIVER_OBJECT is what contains the 28 IRP (Major Function) tables, thus the driverirp command is based on the methodology used by driverscan.
For more information, see Andreas Schuster's Scanning for Drivers.
filescan
To find FILE_OBJECTs in physical memory using pool tag scanning, use the filescan command. This will find open files even if a rootkit is hiding the files on disk and if the rootkit hooks some API functions to hide the open handles on a live system. The output shows the physical offset of the FILE_OBJECT, file name, number of pointers to the object, number of handles to the object, and the effective permissions granted to the object.
For more information, see Andreas Schuster's Scanning for File Objects and Linking File Objects To Processes.
mutantscan
To scan physical memory for KMUTANT objects with pool tag scanning, use the mutantscan command. By default, it displays all objects, but you can pass -s or --silent to only show named mutexes. The CID column contains the process ID and thread ID of the mutex owner if one exists.
For more information, see Andreas Schuster's Searching for Mutants.
symlinkscan
This plugin scans for symbolic link objects and outputs their information. In the past, this has been used to link drive letters (i.e. D:, E:, F:, etc) to true crypt volumes (i.e. DeviceTrueCryptVolume). For more information, see Symbolic Link Objects and Identifying a Mounted True Crypt Volume from Artifacts in Volatile Memory.
thrdscan
To find ETHREAD objects in physical memory with pool tag scanning, use the thrdscan command. Since an ETHREAD contains fields that identify its parent process, you can use this technique to find hidden processes. One such use case is documented in the psxview command. Also, for verbose details, try the threads plugin.
dumpfiles
An important concept that every computer scientist, especially those who have spent time doing operating system research, is intimately familiar with is that of caching. Files are cached in memory for system performance as they are accessed and used. This makes the cache a valuable source from a forensic perspective since we are able to retrieve files that were in use correctly, instead of file carving which does not make use of how items are mapped in memory. Files may not be completely mapped in memory (also for performance), so missing sections are zero padded. Files dumped from memory can then be processed with external tools.
For more information see AAron Walter's post: MoVP 4.4 Cache Rules Everything Around Me(mory).
There are several options in the dumpfiles plugin, for example:
By default, dumpfiles iterates through the VAD and extracts all files that are mapped as DataSectionObject, ImageSectionObject or SharedCacheMap. As an investigator, however, you may want to perform a more targeted search. You can use the -r and -i flags to specify a case-insensitive regex of a filename. In the output below, you can see where the file was dumped from (DataSectionObject, ImageSectionObject or SharedCacheMap), the offset of the _FILE_OBJECT, the PID of the process whose VAD contained the file and the file path on disk:
The dumped filename is in the format of:
file.[PID].[OFFSET].ext
The OFFSET is the offset of the SharedCacheMap or the _CONTROL_AREA, not the _FILE_OBJECT.
The extension (EXT) can be:
- img –
ImageSectionObject - dat -
DataSectionObject - vacb –
SharedCacheMap
You can look at the -S/--summary-file in order to map the file back to its original filename:
You can also use the parsesummary.py script to parse out the json output of the summary file. The following shows an example of using this script. In addition to the original file name, PID of the process that had the file open and size, you can see which pages were present and which pages were missing and padded with zeros in the parsed summary output:
Or you can use the -n/--name option in order to dump file the files with the original filename.
Not every file will be currently active or in the VAD, and such files will not be dumped when using the -r/--regex option. For these files you can first scan for a _FILE_OBJECT and then use the -Q/--physoffset flag to extract the file. Special NTFS files are examples of files that must be dumped specifically:
The -f/--filter option allows you to specify which view of the file you would like to dump (DataSectionObject, ImageSectionObject or SharedCacheMap). For example, if you wanted to only see the state information for an executable file, you could specify --filter=ImageSectionObject.
unloadedmodules
Windows stores information on recently unloaded drivers for debugging purposes. This gives you an alternative way to determine what happened on a system, besides the well known modules and modscan plugins.
connections
To view TCP connections that were active at the time of the memory acquisition, use the connections command. This walks the singly-linked list of connection structures pointed to by a non-exported symbol in the tcpip.sys module.
This command is for x86 and x64 Windows XP and Windows 2003 Server only.
Output includes the virtual offset of the _TCPT_OBJECT by default. The physical offset can be obtained with the -P switch.
connscan
To find _TCPT_OBJECT structures using pool tag scanning, use the connscan command. This can find artifacts from previous connections that have since been terminated, in addition to the active ones. In the output below, you'll notice some fields have been partially overwritten, but some of the information is still accurate. For example, the very last entry's Pid field is 0, but all other fields are still in tact. Thus, while it may find false positives sometimes, you also get the benefit of detecting as much information as possible.
This command is for x86 and x64 Windows XP and Windows 2003 Server only.
sockets
To detect listening sockets for any protocol (TCP, UDP, RAW, etc), use the sockets command. This walks a singly-linked list of socket structures which is pointed to by a non-exported symbol in the tcpip.sys module.
This command is for x86 and x64 Windows XP and Windows 2003 Server only.
Output includes the virtual offset of the _ADDRESS_OBJECT by default. The physical offset can be obtained with the -P switch.
sockscan
To find _ADDRESS_OBJECT structures using pool tag scanning, use the sockscan command. As with connscan, this can pick up residual data and artifacts from previous sockets.
This command is for x86 and x64 Windows XP and Windows 2003 Server only.
netscan
To scan for network artifacts in 32- and 64-bit Windows Vista, Windows 2008 Server and Windows 7 memory dumps, use the netscan command. This finds TCP endpoints, TCP listeners, UDP endpoints, and UDP listeners. It distinguishes between IPv4 and IPv6, prints the local and remote IP (if applicable), the local and remote port (if applicable), the time when the socket was bound or when the connection was established, and the current state (for TCP connections only). For more information, see http://mnin.blogspot.com/2011/03/volatilitys-new-netscan-module.html Volatility's New Netscan Module.
Please note the following:
- The netscan command uses pool tag scanning
- There are at least 2 alternate ways to enumerate connections and sockets on Vista+ operating systems. One of them is using partitions and dynamic hash tables, which is how the netstat.exe utility on Windows systems works. The other involves bitmaps and port pools.
Volatility is the only memory forensics framework with the ability to carve registry data. For more information, see BDG's Memory Registry Tools and Registry Code Updates.
hivescan
To find the physical addresses of CMHIVEs (registry hives) in memory, use the hivescan command. For more information, see BDG's Enumerating Registry Hives.
This plugin isn't generally useful by itself. Its meant to be inherited by other plugins (such as hivelist below) that build on and interpret the information found in CMHIVEs.
hivelist
To locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk, use the hivelist command. If you want to print values from a certain hive, run this command first so you can see the address of the hives.
printkey
To display the subkeys, values, data, and data types contained within a specified registry key, use the printkey command. By default, printkey will search all hives and print the key information (if found) for the requested key. Therefore, if the key is located in more than one hive, the information for the key will be printed for each hive that contains it.
Say you want to traverse into the HKEY_LOCAL_MACHINEMicrosoftSecurity CenterSvc key. You can do that in the following manner. Note: if you're running Volatility on Windows, enclose the key in double quotes (see issue 166).
Here you can see how the output appears when multiple hives (DEFAULT and ntuser.dat) contain the same key 'SoftwareMicrosoftWindows NTCurrentVersion'.
If you want to limit your search to a specific hive, printkey also accepts a virtual address to the hive. For example, to see the contents of HKEY_LOCAL_MACHINE, use the command below. Note: the offset is taken from the previous hivelist output.
hivedump
To recursively list all subkeys in a hive, use the hivedump command and pass it the virtual address to the desired hive.
hashdump
To extract and decrypt cached domain credentials stored in the registry, use the hashdump command. For more information, see BDG's Cached Domain Credentials and SANS Forensics 2009 - Memory Forensics and Registry Analysis.
To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, like this:
Hashes can now be cracked using John the Ripper, rainbow tables, etc.
It is possible that a registry key is not available in memory. When this happens, you may see the following error:
'ERROR : volatility.plugins.registry.lsadump: Unable to read hashes from registry'
You can try to see if the correct keys are available: 'CurrentControlSetControllsa' from SYSTEM and 'SAMDomainsAccount' from SAM. First you need to get the 'CurrentControlSet', for this we can use volshell (replace [REGISTRY ADDRESS](SYSTEM) below with the offset you get from hivelist), for example:
Then you can use the printkey plugin to make sure the keys and their data are there. Since the 'CurrentControlSet' is 1 in our previous example, we use 'ControlSet001' in the first command:
If the key is missing you should see an error message:
'The requested key could not be found in the hive(s) searched'
lsadump
To dump LSA secrets from the registry, use the lsadump command. This exposes information such as the default password (for systems with autologin enabled), the RDP public key, and credentials used by DPAPI.
For more information, see BDG's Decrypting LSA Secrets.
Possible items are:
- $MACHINE.ACC: Domain authentication Microsoft.
- DefaultPassword: Password used to log on to Windows when auto-login is enabled.
- NL$KM: Secret key used to encrypt cached domain passwords Decrypting LSA Secrets.
- L$RTMTIMEBOMB_*: Timestamp giving the date when an unactivated copy ofWindows will stop working.
- L$HYDRAENCKEY_*: Private key used for Remote Desktop Protocol (RDP). If you alsohave a packet capture from a system that was attacked via RDP, you can extract the client’s public key from the packet capture and the server’s private key from memory; then decrypt the traffic.
userassist
To get the UserAssist keys from a sample you can use the userassist plugin. For more information see Gleeda's Volatility UserAssist plugin post.
shellbags
This plugin parses and prints Shellbag (pdf) information obtained from the registry. For more information see Shellbags in Memory, SetRegTime, and TrueCrypt Volumes. There are two options for output: verbose (default) and bodyfile format.
Another option is to use the --output=body option for TSK 3.x bodyfile format. You can use this output option when you want to combine output from timeliner, mftparser and timeliner. You can also include a machine identifier in the bodyfile header with the --machine flag (this is useful when combining timelines from multiple machines). Only ITEMPOS and FILE_ENTRY items are output with the bodyfile format:
shimcache
This plugin parses the Application Compatibility Shim Cache registry key.
getservicesids
The getservicesids command calculates the SIDs for services on a machine and outputs them in Python dictionary format for future use.The service names are taken from the registry ('SYSTEMCurrentControlSetServices'). For more information on how these SIDs are calculated, see Timeliner Release Documentation (pdf). Example output can be seen below:
In order to save output to a file, use the --output-file option.
dumpregistry
The dumpregistry plugin allows you to dump a registry hive to disk. It works on all supported Windows versions (Windows XP-8.1). By default the plugin will dump all registry files (including virtual registries like HARDWARE) found to disk, however you may specify the virtual offset for a specific hive in order to only dump one registry at a time. One caveat about using this plugin (or the dumpfiles plugin) is that there may be holes in the dumped registry file, so offline registry tools may crash if they are not made robustly to handle 'corrupt' files. These holes are denoted in the text output with lines like Physical layer returned None for index 2000, filling with NULL. Example output is shown below:
Notice that the HARDWARE registry has 'Data' as the type. This is because the first few cells of the registry are zeroed out. If you examine the registry with a hex editor, you will see valid keys and values:
You may also dump only one registry at a time by using the virtual offset of the hive:
Volatility supports memory dumps in several different formats, to ensure the highest compatibility with different acquisition tools. You can analyze hibernation files, crash dumps, virtualbox core dumps, etc in the same way as any raw memory dump and Volatility will detect the underlying file format and apply the appropriate address space. You can also convert between file formats.
crashinfo
Information from the crashdump header can be printed using the crashinfo command. You will see information like that of the Microsoft dumpcheck utility.
hibinfo
The hibinfo command reveals additional information stored in the hibernation file, including the state of the Control Registers, such as CR0, etc. It also identifies the time at which the hibernation file was created, the state of the hibernation file, and the version of windows being hibernated. Example output for the function is shown below.
imagecopy
The imagecopy command allows you to convert any existing type of address space (such as a crashdump, hibernation file, virtualbox core dump, vmware snapshot, or live firewire session) to a raw memory image. This conversion be necessary if some of your other forensic tools only support reading raw memory dumps.
The profile should be specified for this command, so if you don't know it already, use the kdbgscan or imageinfo commands first. The output file is specified with the -O flag. The progress is updated as the file is converted:
raw2dmp
To convert a raw memory dump (for example from a win32dd acquisition or a VMware .vmem file) into a Microsoft crash dump, use the raw2dmp command. This is useful if you want to load the memory in the WinDbg kernel debugger for analysis.
vboxinfo
To pull details from a virtualbox core dump, use the vboxinfo command.
vmwareinfo
Use this plugin to analyze header information from vmware saved state (vmss) or vmware snapshot (vmsn) files. The metadata contains CPU registers, the entire VMX configuration file, memory run information, and PNG screenshots of the guest VM.
hpakinfo
This plugin shows info from an hpak formatted memory dump created by FDPro.exe.
hpakextract
If you have an hpak file whose contents are compressed, you can extract and decompress the physical memory image using this plugin.
mbrparser
Scans for and parses potential Master Boot Records (MBRs). There are different options for finding MBRs and filtering output. For more information please see Recovering Master Boot Records from Memory. While this plugin was written with Windows bootkits in mind, it can also be used with memory samples from other systems.
When run without any extra options, mbrparser scans for and returns information all potential MBRs defined by signature ('x55xaa') found in memory. Information includes: disassembly of bootcode (must have distorm3 installed) and partition information. This will most likely have false positives.
If distorm3 is not installed, the -H/--hex option can be used to get the entire bootcode section in hex instead of disassembly:
If the physical offset of the MBR is known, it can be specified with the -o/--offset= option for example:
If the md5 hash of the desired bootcode is known, one can be specified using either the -M/--hash (the hash of bootcode up to the RET instruction) or -F/--fullhash (the hash of full bootcode) option.
or
In order to cut down on false positives there is a -C/--check option that checks the partition table for one bootable partition that has a known, nonempty type (NTFS, FAT*, etc).
There is also an option to change the offset for the start of the disassembly. This can be useful for investigating machines (like Windows XP) that only copy the part of the MBR bootcode that has not yet executed. For example, before changing the offset:
After changing the starting offset:
mftparser
This plugin scans for potential Master File Table (MFT) entries in memory (using 'FILE' and 'BAAD' signatures) and prints out information for certain attributes, currently: $FILE_NAME ($FN), $STANDARD_INFORMATION ($SI), $FN and $SI attributes from the $ATTRIBUTE_LIST, $OBJECT_ID (default output only) and resident $DATA. This plugin has room for expansion, however, and VTypes for other attributes are already included. For more information please see Reconstructing the MBR and MFT from Memory (OMFW 2012 slides). Options of interest include:
--machine- Machine name to add to timeline header (useful when combining timelines from multiple machines)-D/--dump-dir- Output directory to which resident data files are dumped--output=body- print output in Sleuthkit 3.X body format--no-check- Prints out all entries including those with null timestamps-E/--entry-size- Changes the default 1024 byte MFT entry size.-O/--offset- Prints out the MFT entry at a give offset (comma delimited)
This plugin may take a while to run before seeing output, since it scans first and then builds the directory tree for full file paths.
Example (default output):
The bodyfile output is also an option. It is recommended that the output be stored in a file using the --output-file option, since it is quite lengthy. The following shows creating a bodyfile using mftparser while dumping resident files. You can also see a file of interest that is created on the system (f.txt) which happens to be recovered in the output directory:
The Sleuthkit mactime utility can then be used to output the bodyfile in a readable manner:
strings
For a given image and a file with lines of the form <decimal_offset>:<string>, or <decimal_offset> <string>,output the corresponding process and virtual addresses where thatstring can be found. Expected input for this tool is the output ofMicrosoft Sysinternals' Strings utility, or another utility thatprovides similarly formatted offset:string mappings. Note that theinput offsets are physical offsets from the start of the file/image.
Sysinternals Strings can be used on Linux/Mac using Wine. Output should be redirected to a file to be fed to the Volatility strings plugin. If you're using GNU strings command, use the -td flags to produce offsets in decimal (the plugin does not accept hex offsets). Some example usages are as follows:
Windows
It can take a while for the Sysinternals strings program to finish. The –q and –o switches are imperative, since they make sure the header is not output (-q) and that there is an offset for each line (-o).
Linux/Mac
You can use the Sysinternals strings program with wine:
You can also use the GNU strings utility that comes with Linux and Mac (Note: the default strings utility on Mac does not have Unicode support. You can install the GNU binutils package in order to get a strings utility that does). You should use the -td flags to get the decimal offset and will have to make a second pass with the -el flags in order to get (little endian) Unicode strings. Notice that the second pass appends (>>) to the existing file:
The result should be a text file that contains the offset and strings from the image for example:
EnCase Keyword Export
You can also use EnCase to export keywords and offsets in this format with some tweaking. One thing to note is that EnCase exports text in UTF-16 with a BOM of (U+FEFF) which can cause issues with the strings plugin. An example look at the exported keyword file:
Now tweaking the file by removing the header and tabs we have:
We can see that it is UTF-16 and has a BOM of (U+FEFF) by using a hex editor.
We have to convert this to ANSI or UTF-8. In Windows you can open the text file and use the 'Save As' dialog to save the file as ANSI (in the 'Encoding' drop-down menu). In Linux you can use iconv:
NOTE: You must make sure there are NO blank lines in your final 'strings' file.
Now we can see a difference in how these two files are handled:
NOTE: The Volatility strings output is very verbose and it is best to redirect or save to a file. The following command saves the output using the --output-file option and filename 'win7_vol_strings.txt'
By default strings will only provide output for processes found by walking the doubly linked list pointed to by PsActiveProcessHead (see pslist) in addition to kernel addresses. strings can also provide output for hidden processes (see psscan) by using the (capital) -S switch:
Also an EPROCESS offset can be provided:
The strings plugin takes a while to complete. When it completes, you should have an output file with each line in the following format:
In the example output you can see PIDs/kernel references:
Once you have the strings output, you can see which process(es) have the suspicious string in memory and can then narrow your focus. You can grep for the string or pattern depending on the context you were given. For example, if you are looking for a particular command:
For all IPs:
For all URLs:
Depending on the context, your searches will vary.
volshell
If you want to interactively explore a memory image, use the volshell command. This gives you an interface similar to WinDbg into the memory dump. For example, you can:
- List processes
- Switch into a process's context
- Display types of structures/objects
- Overlay a type over a given address
- Walk linked lists
- Disassemble code at a given address
Note: volshell can take advantage of IPython if you have it installed. This will add tab-completion and saved command history.
To break into a volshell:
Let's say you want to see what's at 0x779f0000 in the memory of explorer.exe. First display the processes so you can get the PID or offset of Explorer's EPROCESS. (Note: if you want to view data in kernel memory, you do not need to switch contexts first.)
Now switch into Explorer's context and print the data with either db (display as canonical hexdump) or dd (display as double-words):
So there is a PE at 0x779f0000 in explorer.exe. If you want to disassemble instructions at RVA 0x2506 in the PE, do this:
If you want to remind yourself of the members in an EPROCESS object for the given OS, do this:
To overlay the EPROCESS types onto the offset for explorer.exe, do this:
The db, dd, dt, and dis commands all accept an optional 'space' parameter which allows you to specify an address space. You will see different data depending on which address space you're using. Volshell has some defaults and rules that are important to note:
If you don't supply an address space and have not switched into a process context with cc, then you'll be using the default kernel space (System process).
If you don't supply an address space and have switched into a process context with cc, then you'll be using the space of the active/current process.
If you explicitly supply an address space, the one you supplied will be used.
Imagine you're using one of the scan commands (psscan, connscan, etc.) and you think it has picked up a false positive. The scan commands output a physical offset (offset into the memory dump file). You want to explore the data around the potential false positive to determine for yourself if any structure members appear sane or not. One way you could do that is by opening the memory dump in a hex viewer and going to the physical offset to view the raw bytes. However, a better way is to use volshell and overlay the structure question to the alleged physical offset. This allows you to see the fields interpreted as their intended type (DWORD, string, short, etc.)
Here's an example. First instantiate a physical address space:
Assuming the alleged false positive for an EPROCESS is at 0x433308, you would then do:
Another neat trick is to use volshell in a non-interactive manner. For example, say you want to translate an address in kernel memory to its corresponding physical offset.
Thus the kernel address 0x823c8830 translates to physical offset 0x25c8830 in the memory dump file.
You can execute multiple commands sequentially like this:
For more information, see BDG's Introducing Volshell.
bioskbd
To read keystrokes from the BIOS area of memory, use the bioskbd command. This can reveal passwords typed into HP, Intel, and Lenovo BIOS and SafeBoot, TrueCrypt, and BitLocker software. Depending on the tool used to acquire memory, not all memory samples will contain the necessary BIOS area. For more information, see Andreas Schuster's Reading Passwords From the Keyboard Buffer, David Sharpe's Duplicating Volatility Bioskbd Command Function on Live Windows Systems, and Jonathan Brossard's Bypassing pre-boot authentication passwords by instrumenting the BIOS keyboard buffer.
patcher
The patcher plugin accepts a single argument of '-x' followed by an XML file. The XML file then specifies any required patches as in the following example:
The XML root element is always patchfile, and contains any number of patchinfo elements. When the patchfile is run, it will scan over the memory once for each patchinfo, attempting to scan using the method specified in the method attribute. Currently the only support method is pagescan and this must be explicitly declared in each patchinfo element.
Each pagescan type patchinfo element contains a single constraints element and a single patches element. The scan then proceeds over each page in memory, verifying that all constraints are met, and if so, the instructions specified in the patches element are carried out.
The constraints element contains any number of match elements which take a specific offset attribute (specifying where within the page the match should occur) and then contain a hexadecimal string for the bytes that are supposed to match.
The patches element contains any number of setbytes elements which take a specific offset attribute (specifying where with the page the patch should modify data) and then contains a hexidecimal string for the bytes that should be written into the page.
Note: When running the patcher plugin, there will be no modification made to memory unless the write option (-w) has been specified on the command line.
pagecheck
The pagecheck plugin uses a kernel DTB (from the System/Idle process) and determines which pages should be memory resident (using the AddressSpace.get_available_pages method). For each page, it attempts to access the page data and reports details, such as the PDE and PTE addresses if the attempt fails. This is a diagnostic plugin, usually helpful in troubleshooting 'holes' in an address space.
This plugin is not well-supported. It is in the contrib directory and currently only works with non-PAE x86 address spaces.
timeliner
This timeliner plugin creates a timeline from various artifacts in memory from the following sources (items in parenthesis are filters that may be used with the --type flag in order to obtain only items of that artifact):
- System time (ImageDate)
- Processes (Process)
- Create and Exit times
- LastTrimTime (XP and 2003 only)
- DLLs (Process, LoadTime)
- LoadTime (Windows 7 and 8 only)
- PE Timestamps (TimeDateStamp)
- Modules/Processes/DLLs
- _IMAGE_FILE_HEADER
- _IMAGE_DEBUG_DIRECTORY
- Threads (Thread)
- Create and Exit times
- Sockets (Socket)
- Create time
- Event logs (XP and 2003 only) (EvtLog)
- IE History (IEHistory)
- Registry hives (_CMHIVE and _HBASE_BLOCK)
- Registry keys
- LastWriteTime of registry keys in _CMHIVE (Registry)
- LastWriteTime of registry key objects referenced in the handle table (_CM_KEY_BODY)
- Embedded registry (filters below)
- Userassist
- Shimcache
- Timers (Timer)
- Symbolic links (Symlink)
You can filter for any of the above options in order to have more focused output using the --type flag:
There are three options for output: default text output, bodyfile format and an Excel 2007 file. For more details see Timeliner Release Documentation (pdf) and the OMFW 2011 presentation Time is on My Side. You can also include a machine identifier in the header with the --machine flag (this is useful when combining timelines from multiple machines). The following shows the default text output:
If you don't want to do the extra step of importing, you can use the --output=xlsx option with --output-file=[FILE](OUTPUT) to save directly an Excel 2007 file. Note: You must have OpenPyxl installed for this.
Another option is to use the --output=body option for TSK 3.x bodyfile format. You can use this output option when you want to combine output from timeliner, mftparser and shellbags.
By default everything except the registry LastWrite timestamps are included in the output of timeliner, this is because obtaining the registry timestamps is quite labor intensive. In order to add them to the output, simply add the --type=Registry option when you run Volatility. You can also limit your focus of registry timestamps by listing a specific registry name (like --hive=SYSTEM) or user (--user=Jim) or both (--hive=UsrClass.dat --user=jim). These options are case insensitive.
1) As many as 2 to 5 have been found at once.
2) Once “removed,” they appear again in no time.
B. McAfee – Update Error
“An error occurred in updating. Please reinstall these programs:
- McAfee Security Center”
NOT DONE – Expected to be repetitive.
C. Defrag – no access
1) Norton Speed Disk won’t start. Error Message:
“An unexpected error occurred while communicating with the Speed Disk Service (NOPDB.EXE). Please exit Speed Disk, restart the Speed Disk Service, and try again. If the problem persists, reinstall Speed Disk.”
Reinstalled Speed Disk. Same result.
2) Windows XP Accessories Disk Defragmenter Error message:
“Disk Defragmenter could not start.”
D. Backup – presently unable to back up.
1) My backup utility, XXCLONE, will not start. (Last backup was WAY too old.) It returns following Error Message from its initial disk scan:
“The source volume (C:) specified in the command line does not exist, or the volume label does not match. Therefore, it will be ignored.”
2) Windows XP Accessories backup component refused to start as well. Error message:
“The Backup Utility cannot connect to the Removable Storage service. This service is required for use of tape drives and other backup devices. Please exit and start the Removable Storage service using the System Services function of the Management Console.”
Started service. Allowed backup utility to start. It backed up over half of C: drive. But insufficient space on target drive. I mistakenly assumed it would have prepared the drive first...
3) Finally was able to copy all of C: drive to the F: drive, directory by directory, EXCEPT the Windows directory, which I omitted. Seemed that it would contain the brunt of what's wrong with this machine. But, should I copy it as well? Parts? I'd like to have copied all that should be copied before running scans. Please comment.
E. Formatting – Was initially unable to format. I attempted to format backup target drive F: on USB hard drive.
1) Windows Disk Management utility does not see ANY drives. Its window is BLANK.
2) Right-clicking F: in Explorer gave access to the format command. A Quick Format command produced this error message:
“Windows was unable to complete the format.”
3) I finally was able to format the F: drive but do not recall how I then copied C: drive files to it as described in previous section.
F. Browser (Firefox)
1) Misdirection to other search or ad aggregation pages when clicking on Google search results ‘headlines’ links. Copy/pasting of the results’ urls works fine.
2) Numerous pop-ups
G. Email (Outlook)
1) Huge numbers of “Mail Undeliverable” messages in Inbox, sent to me and or my domain, returning obvious spam which I’ve had nothing to do with sending.
H. Taskbar Volume Control – instead of emitting the modulated confirming “beep,” a VERY loud , quick sharp shriek is heard when making an adjustment to volume.
I. Adobe Acrobat – .pdf files close unexpectedly.
But for the above-described problems, the system is basically, reasonably functional.
Posted this problem at another site first. I have de-activated that thread. At a helper's suggestion I had tried to run GMER.exe and Kapersky. Could not get either to even run.
Everyone's data is important; mine is terribly so. Please give this as much priority as you can.
Am in your hands.
Thank you,
pajuliet
DDS.txt follows:
DDS (Ver_09-06-26.01) - NTFSx86
Run by PNJ at 0:32:45.18 on Sat 07/18/2009
Internet Explorer: 7.0.5730.11
BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional
5.1.2600.2.1252.1.1033.18.1023.357 [GMT
-4:00]
AV: McAfee VirusScan *On-access scanning
enabled* (Outdated)
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled*
{94894B63-8C7F-4050-BDA4-813CA00DA3E8}
Running Processes
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k
WudfServiceGroup
C:Program
FilesIntelWirelessBinEvtEng.exe
C:Program
FilesIntelWirelessBinS24EvMon.exe
C:Program
FilesIntelWirelessBinWLKeeper.exe
Rootkit Ntoskrnl.exe
svchost.exesvchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSSystem32svchost.exe -k Akamai
C:WINDOWSsystem32driversCDAC11BA.EXE
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:Program
FilesMcAfeeSiteAdvisorMcSACore.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy
.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Program FilesMcAfeeMSKMskSrver.exe
C:Program FilesNorton SystemWorksNorton
UtilitiesNPROTECT.EXE
C:Program
FilesIntelWirelessBinRegSrvc.exe
C:PROGRA~1NORTON~1SPEEDD~1nopdb.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:WINDOWSSystem32TSIRCSRV.EXE
C:Program FilesUPHCleanuphclean.exe
C:WINDOWSSystem32dmadmin.exe
C:WINDOWSsystem32dllhost.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:Program
FilesIntelWirelessBinZcfgSvc.exe
c:windowstsi32tsircusr.exe
C:WINDOWSExplorer.EXE
c:PROGRA~1mcafee.comagentmcagent.exe
C:PROGRA~1IntelWirelessBin1XConfig.exe
C:WINDOWSsystem32RunDLL32.exe
C:WINDOWSsystem32rundll32.exe
C:Program
FilesIntelWirelessBinifrmewrk.exe
C:Program FilesApointApoint.exe
C:Program
FilesLogitechMouseWaresystemem_exec.exe
C:WINDOWSehomeehtray.exe
C:Program FilesLinksys Wireless-G Print
ServerPSDiagnosticM.exe
C:Program FilesCommon
FilesLogiShrdLComMgrCommunications_Helpe
r.exe
C:Program
FilesLogitechQuickCamQuickcam.exe
C:WINDOWSeHomeehmsas.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesApointApntex.exe
C:Program FilesToshibaBluetooth Toshiba
StackTosBtMng.exe
C:Program FilesLexicoCleverKeysCK.exe
C:Program FilesCommon
FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesCommon
FilesLogiShrdLVCOMSERLVComSer.exe
C:Program
FilesvghdVirtuaGirl_downloader.exe
C:Program FilesToshibaBluetooth Toshiba
StackTosA2dp.exe
C:Program FilesToshibaBluetooth Toshiba
StackTosBtHid.exe
C:Program FilesToshibaBluetooth Toshiba
StackTosBtHsp.exe
C:Program FilesCommon
FilesLogishrdLQCVFXCOCIManager.exe
C:Program FilesToshibaBluetooth Toshiba
StackTosAVRC.exe
C:Program FilesToshibaBluetooth Toshiba
StacktosOBEX.exe
C:Program FilesToshibaBluetooth Toshiba
StacktosBtProc.exe
C:Program FilesMozilla
Firefoxfirefox.exe
C:Program FilesCommon FilesMicrosoft
SharedVS7Debugmdm.exe
C:Program FilesMicrosoft
OfficeOffice10WINWORD.EXE
C:Documents and
SettingsPNJDesktopdds.scr
Pseudo HJT Report
uStart Page = hxxp://my.yahoo.com/
uDefault_Page_URL =
hxxp://www.dell4me.com/myway
uInternet Settings,ProxyOverride =
dynhost.inetcam.com;register.inetcam.com;*.
local
mWinlogon:
Userinit=userinit.exe,c:windowstsi32tsir
cusr.exe
BHO: SnagIt Toolbar Loader:
{00c6482d-c502-44c8-8409-fce54ad9c208} -
c:program filestechsmithsnagit
8SnagItBHO.dll
BHO: Adobe PDF Reader Link Helper:
{06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
c:program filescommon
filesadobeacrobatactivexAcroIEHelper.dl
l
BHO: ContributeBHO Class:
{074c1dc5-9320-4a9a-947d-c042949c6216} -
c:program filesadobe/Adobe Contribute
CS3/contributeieplugin.dll
BHO: McAfee Phishing Filter:
{27b4851a-3207-45a2-b947-be8afe6163ab} -
c:progra~1mcafeemskmskapbho.dll
BHO: Yahoo! IE Services Button:
{5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} -
c:program filesyahoo!commonyiesrvc.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB}
- No File
BHO: DriveLetterAccess:
{5ca3d70e-1895-11cf-8e15-001234567890} -
c:windowssystem32dlatfswshx.dll
BHO: SSVHelper Class:
{761497bb-d6f0-462c-b6eb-d4daf1d92d43} -
c:program
filesjavajre1.6.0_02binssv.dll
BHO: scriptproxy:
{7db2d5a0-7241-4e79-b68d-6309f01c5231} -
c:progra~1mcafeeviruss~1scriptsn.dll
BHO: Windows Live Sign-in Helper:
{9030d464-4c02-4abf-8ecc-5164760863c6} -
c:program filescommon filesmicrosoft
sharedwindows liveWindowsLiveLogin.dll
BHO: File Print FedEx Kinko's:
{9566395f-43d2-4c64-b525-b501ffa276e2} -
mscoree.dll
BHO: Adobe PDF Conversion Toolbar Helper:
{ae7cd045-e861-484f-8273-0445ee161910} -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO:
{af69de43-7d58-4638-b6fa-ce66b5ad205d} -
c:program
filesgooglegoogletoolbarnotifier5.1.1309
.3572swg.dll
BHO: McAfee SiteAdvisor BHO:
{b164e929-a1b6-4a06-b104-2cd0e90a88ff} -
c:progra~1mcafeesitead~1mcieplg.dll
BHO: CNavExtBho Class:
{bdf3e430-b101-42ad-a544-fadc6b084872} -
c:program filesnorton systemworksnorton
antivirusNavShExt.dll
BHO: MyLogoHelper:
{ea4587eb-3106-448a-8b31-f1572e981765} -
c:progra~1edenso~1MyLogo.dll
BHO: Google Audio Helper:
{f88849b8-9394-48ff-b0c7-5e5a55ca47fe} -
%SystemRoot%system32apphelp01.dll
TB: Easy-WebPrint:
{327c2873-e90d-4c37-aa9d-10ac9baba46c} -
c:program
filescanoneasy-webprintToolband.dll
TB: Yahoo! Toolbar:
{ef99bd32-c1fb-11d2-892f-0090271d4f88} -
c:program
filesyahoo!companioninstallscpnyt.dll
TB: File Print FedEx Kinko's:
{9566395f-43d2-4c64-b525-b501ffa276e2} -
mscoree.dll
TB: SnagIt:
{8ff5e183-abde-46eb-b09e-d2aab95cabe3} -
c:program filestechsmithsnagit
8SnagItIEAddin.dll
TB: PopUpCop:
{db43e4e6-ff8a-4018-8c8e-f68587a44a73} -
c:progra~1popupcopPopUpCop.dll
TB: Adobe PDF:
{47833539-d0c5-4125-9fa8-0819e2eaac93} -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll
TB: Contribute Toolbar:
{517bdde4-e3a7-4570-b21e-2b52b6139fc7} -
c:program filesadobe/Adobe Contribute
CS3/contributeieplugin.dll
TB: McAfee SiteAdvisor Toolbar:
{0ebbbe48-bad4-4b4c-8e5a-516abecae064} -
c:progra~1mcafeesitead~1mcieplg.dll
TB: Norton AntiVirus:
{42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} -
c:program filesnorton systemworksnorton
antivirusNavShExt.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}
- No File
EB: Adobe PDF:
{182ec0be-5110-49c8-a062-beb1d02a220b} -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll
EB: &Yahoo! Messenger:
{4528bbe0-4e08-11d5-ad55-00010333d0ad} -
c:progra~1yahoo!commonyhexbmesus.dll
EB: Real.com:
{fe54fa40-d68c-11d2-98fa-00c0f0318afe} -
c:windowssystem32Shdocvw.dll
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe
NvMCTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE
c:windowssystem32NvCpl.dll,NvStartup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [IntelWireless] c:program
filesintelwirelessbinifrmewrk.exe /tf
Intel PROSet/Wireless
mRun: [Apoint] c:program
filesapointApoint.exe
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM]
c:progra~1common~1adobeadobev~1server
binVERSIO~2.EXE
mRun: [CanonSolutionMenu] c:program
filescanonsolutionmenuCNSLMAIN.exe
/logon
mRun: [ehTray] c:windowsehomeehtray.exe
mRun: [mcagent_exe] 'c:program
filesmcafee.comagentmcagent.exe' /runkey
mRun: [ISUSPM Startup]
c:progra~1common~1instal~1update~1ISUS
PM.exe -startup
mRun: [KernelFaultCheck]
%systemroot%system32dumprep 0 -k
mRun: [PSDiagnosticM] 'c:program
fileslinksys wireless-g print
serverPSDiagnosticM.exe'
mRun: [LogitechCommunicationsManager]
'c:program filescommon
fileslogishrdlcommgrCommunications_Helpe
r.exe'
mRun: [LogitechQuickCamRibbon] 'c:program
fileslogitechquickcamQuickcam.exe' /hide
StartupFolder:
c:docume~1pnjstartm~1programsstartupd
eskto~1.lnk - c:program
filesvghdvghd.exe
StartupFolder:
c:docume~1pnjstartm~1programsstartupi
s-k01dk.lnk - c:documents and
settingspnjdesktopvirus removal
toolis-k01dkstartup.exe
StartupFolder: c:documents and
settingspnjstart
menuprogramsstartupPowerReg
Scheduler.exe
StartupFolder:
c:docume~1alluse~1startm~1programsstar
tupblueto~1.lnk - c:program
filestoshibabluetooth toshiba
stackTosBtMng.exe
StartupFolder:
c:docume~1alluse~1startm~1programsstar
tupclever~1.lnk - c:program
fileslexicocleverkeysCK.exe
uPolicies-system: EnableProfileQuota = 1
(0x1)
IE: &Yahoo! Search - file:///c:program
filesyahoo!Common/ycsrch.htm
IE: Append to existing PDF - c:program
filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIEAppen
d.html
IE: Convert link target to Adobe PDF -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIECaptu
re.html
IE: Convert link target to existing PDF -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIEAppen
d.html
IE: Convert selected links to Adobe PDF -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIECaptu
reSelLinks.html
IE: Convert selected links to existing PDF
- c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIEAppen
dSelLinks.html
IE: Convert selection to Adobe PDF -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIECaptu
re.html
IE: Convert selection to existing PDF -
c:program filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIEAppen
d.html
IE: Convert to Adobe PDF - c:program
filesadobeacrobat
8.0acrobatAcroIEFavClient.dll/AcroIECaptu
re.html
IE: E&xport to Microsoft Excel -
c:progra~1micros~4office10EXCEL.EXE/300
0
IE: Easy-WebPrint Add To Print List -
c:program
filescanoneasy-webprintResource.dll/RC_A
ddToList.html
IE: Easy-WebPrint High Speed Print -
c:program
filescanoneasy-webprintResource.dll/RC_H
SPrint.html
IE: Easy-WebPrint Preview - c:program
filescanoneasy-webprintResource.dll/RC_P
review.html
IE: Easy-WebPrint Print - c:program
filescanoneasy-webprintResource.dll/RC_P
rint.html
IE: Linked Ima&ges - c:program
filesieimageIEimage.htm
IE: Open Image in New Window -
c:progra~1popupcoppopupcop.dll/imagenew
IE: Yahoo! &Dictionary - file:///c:program
filesyahoo!Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:program
filesyahoo!Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:program
filesyahoo!Common/ycsms.htm
IE: {C642FC8F-CB75-4175-AC03-AA40F2D9308D}
- c:program filesbytescout movies
extractor scoutflashextract.exe
IE: {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD}
- c:program filesieimageIEimage.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583}
- %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
- c:program filesmessengermsmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} -
c:program
filesjavajre1.6.0_02binnpjpi160_02.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
- {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -
c:program filesyahoo!commonyiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
- {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} -
c:windowssystem32Shdocvw.dll
Trusted Zone: aol.comfree
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com*.update
Trusted Zone: turbotax.com
Trusted Zone: windowsupdate.comdownload
DPF: Microsoft XML Parser for Java
DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4}
-
hxxp://download.microsoft.com/download/7/0/
7/707a44ad-52ad-49af-b7ef-e21b6b0656e4/Virt
ualEarth3D.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94}
-
hxxp://www.pcpitstop.com/pcpitstop/PCPitSto
p.CAB
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9}
-
file:///C:/Program%20Files/Monopoly/Images/
stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700}
-
hxxp://go.microsoft.com/fwlink/?linkid=3920
4
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab}
- c:program
filesyahoo!commonyinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71}
-
hxxp://download.microsoft.com/download/F/6/
E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9
VCM.CAB
DPF: {428A9DEF-F057-402B-9F2D-A5887F4544ED}
-
hxxp://download.microsoft.com/download/f/0/
2/f02b515c-7076-4cee-bc08-fd6fea594578/Virt
ualEarth3D.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/wuweb_site
.cab?1189220628437
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3}
-
hxxp://www.update.microsoft.com/microsoftup
date/v6/V5Controls/en/x86/client/muweb_site
.cab?1189220548593
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
-
hxxp://java.sun.com/products/plugin/autodl/
jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.5.0/jinstall-1
_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
-
hxxp://java.sun.com/update/1.6.0/jinstall-1
_6_0_02-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54}
-
file:///C:/Program%20Files/Monopoly/Images/
armhelper.ocx
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7}
-
hxxp://download.microsoft.com/download/7/E/
6/7E6A8567-DFE4-4624-87C3-163549BE2704/clea
radj.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
-
hxxps://intranets.webex.com/client/T23L/web
ex/ieatgpc.cab
TCP: NameServer =
85.255.112.232,85.255.112.234
TCP: {8C66A413-8F61-4707-980E-315FD4CAE4A4}
= 85.255.112.232,85.255.112.234
TCP: {9D14B209-E30C-4A45-8B59-FE03EC6526B4}
= 85.255.112.232,85.255.112.234
TCP: {D09D7F02-F45D-4291-99F9-18C28B83D630}
= 85.255.112.232,85.255.112.234
Handler: sacore -
{5513F07E-936B-4E52-9B00-067394E91CC5} -
c:progra~1mcafeesitead~1McIEPlg.dll
Notify: IntelWireless - c:program
filesintelwirelessbinLgNotify.dll
SSODL: WPDShServiceObj -
{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:windowssystem32WPDShServiceObj.dll
SecurityProviders: msapsspc.dll,
schannel.dll, digest.dll, msnsspc.dll,
ntoskrnl.dll
FIREFOX
FF - ProfilePath -
c:docume~1pnjapplic~1mozillafirefoxpr
ofiles8idhx9i7.default
FF - prefs.js: browser.search.defaulturl -
hxxp://search.conduit.com/ResultsExt.aspx?c
tid=CT1792828&SearchSource=3&q=
FF - prefs.js:
browser.search.selectedEngine - Diigo
Customize Search
FF - prefs.js: browser.startup.homepage -
hxxp://my.yahoo.com/
FF - component: c:documents and
settingspnjapplication
datamozillafirefoxprofiles8idhx9i7.defa
ultextensions{3d95bcc6-0cab-452e-ac6b-be7
dbaaf2aa7}componentsFFAlert.dll
FF - component: c:program
filesmcafeesiteadvisorcomponentsMcFFPlg
.dll
FF - component: c:program filesmozilla
firefoxcomponentsGoogleDesktopMozilla.dll
FF - plugin:
c:progra~1yahoo!commonnpyaxmpb.dll
FF - plugin: c:program filesgooglegoogle
updater2.4.1536.6592npCIDetect13.dll
FF - plugin: c:program
filesgoogleupdate1.2.183.7npGoogleOneCl
ick8.dll
FF - plugin: c:program filesmozilla
firefoxpluginsnpmozax.dll
FF - plugin: c:program filesmozilla
firefoxpluginsnpSeaTools_EN.dll
FF - plugin: c:program filesvirtual earth
3dnpVE3D.dll
FF - HiddenExtension: Java Console: No
Registry Reference - c:program
filesmozilla
firefoxextensions{CAFEEFAC-0016-0000-0002
-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load
- true // Popupblocker control handled by
McAfee Privacy Service
SERVICES / DRIVERS
R1
is-K01DKdrv;is-K01DKdrv;c:windowssystem32
drivers74383623.sys [2009-7-17 148496]
R1 mfehidk;McAfee Inc.
mfehidk;c:windowssystem32driversmfehidk
.sys [2007-10-12 214024]
R1 TSIMSF5;Traveling Software Mouse Filter
Driver;c:windowssystem32driversTSIMSF5.
sys [2005-10-15 5120]
R2
{95808DC4-FA4A-4c74-92FE-5B863F82066B};{958
08DC4-FA4A-4c74-92FE-5B863F82066B};c:progr
am filescyberlinkpowerdvd000.fcl
[2006-11-2 13560]
R2
Akamai;Akamai;c:windowssystem32svchost.e
xe -k Akamai [2004-8-19 14336]
R2 McAfee SiteAdvisor Service;McAfee
SiteAdvisor Service;c:program
filesmcafeesiteadvisorMcSACore.exe
[2008-12-25 210216]
R2 McProxy;McAfee Proxy
Service;c:progra~1common~1mcafeemcproxy
mcproxy.exe [2007-10-12 359952]
R2 McrdSvc;Media Center Extender
Service;c:windowsehomemcrdsvc.exe
[2005-8-5 99328]
R2 McShield;McAfee Real-time
Scanner;c:progra~1mcafeeviruss~1mcshiel
d.exe [2007-10-12 144704]
R2 NProtectService;Norton Unerase
Protection;c:program filesnorton
systemworksnorton utilitiesNPROTECT.EXE
[2009-6-19 135168]
R2
TSIREGMO;tsiregmo;c:windowssystem32drive
rstsiregmo.sys [2005-10-15 5888]
R2
TSISER;TSISER;c:windowssystem32driverst
siser.sys [2005-10-15 31740]
R2 TSISTRMX;Traveling Software Stream
Driver;c:windowssystem32driversTSISTRMX
.SYS [2005-10-15 5120]
R3 lknuhst;Linksys Network USB Host
Controller;c:windowssystem32driverslknu
hst.sys [2009-2-20 12032]
R3 LKNUHUB;Linksys Network USB Root
Hub;c:windowssystem32driverslknuhub.sys
[2009-2-20 39424]
R3 McSysmon;McAfee
SystemGuards;c:progra~1mcafeeviruss~1mc
sysmon.exe [2007-10-12 606736]
R3 mfeavfk;McAfee Inc.
mfeavfk;c:windowssystem32driversmfeavfk
.sys [2007-10-12 79880]
R3 mfebopk;McAfee Inc.
mfebopk;c:windowssystem32driversmfebopk
Ntoskrnl.exe Rootkit Avg
.sys [2007-10-12 35272]
R3 mfesmfk;McAfee Inc.
mfesmfk;c:windowssystem32driversmfesmfk
.sys [2007-10-12 40552]
S1 TSIRCINK;Traveling Software Install
Driver;c:windowssystem32driversTSIRCINK
.SYS [2005-10-15 9216]
S1 tsircmir;LapLink Mirror Driver
Miniport;c:windowssystem32driverstrircm
ir.sys -->
c:windowssystem32driverstrircmir.sys
[?]
S2 gupdate1c9bc9ba8cebd66;Google Update
Service (gupdate1c9bc9ba8cebd66);c:program
filesgoogleupdateGoogleUpdate.exe
[2009-4-13 133104]
S2 navapsvc;Norton AntiVirus Auto Protect
Service;c:program filesnorton
systemworksnorton antivirusNavapsvc.exe
[2001-8-16 115792]
S2 portD;CMS PortIO
Service;c:windowssystem32driversportd2k
.sys -->
c:windowssystem32driversportd2k.sys [?]
S2 SBService;ScriptBlocking
Service;c:progra~1common~1symant~1scrip
t~1SBServ.exe [2001-8-13 54408]
S3 aawservice;aawservice;c:program
fileslavasoftad-aware 2007aawservice.exe
[2007-8-27 566616]
S3 AngelUsb;Angel USB MPEG
Device;c:windowssystem32driversAngelUsb
.sys [2005-10-8 375424]
S3 CTMSFSYN;Creative SoundFont
Synth;c:windowssystem32driversCTMSFSYN.
SYS [2005-1-31 159104]
S3 LKNUCMP;Linksys Network USB Composite
Device;c:windowssystem32driverslknucmp.
sys [2009-2-20 14848]
S3 mferkdk;McAfee Inc.
mferkdk;c:windowssystem32driversmferkdk
.sys [2007-10-12 34216]
S3
NAVAP;NAVAP;c:windowssystem32driversNAV
AP.SYS [2001-8-3 182896]
S3
NAVENG;NAVENG;c:progra~1common~1symant~1
virusd~120010808.016NAVENG.SYS
[2009-6-19 65920]
S3
NAVEX15;NAVEX15;c:progra~1common~1symant
~1virusd~120010808.016NAVEX15.SYS
[2009-6-19 491712]
S4
RosettaStoneLtdController;RosettaStoneLtdCo
ntroller;c:program
filesrosettastoneltdservicesRosettaStoneL
tdController.exe [2007-9-13 354672]
Created Last 30
2009-07-17 15:53 148,496 a-------
c:windowssystem32drivers74383623.sys
2009-07-16 19:36 20,777 a-------
c:windowssystem3293809819[1].gif
2009-07-12 17:31 54,156 a---h---
c:windowsQTFont.qfn
2009-07-12 17:31 1,409 a-------
c:windowsQTFont.for
2009-06-25 08:32 28 a-------
c:docume~1pnjapplic~1messanger4.dat
2009-06-23 18:57 <DIR> --d-----
c:program filesXXCLONE
2009-06-22 16:32 1,487 --------
c:docume~1pnjapplic~1messanger1.dat
2009-06-22 16:32 0 --------
c:docume~1pnjapplic~1messanger2.dat
2009-06-19 22:47 <DIR> --d-----
c:program filesStartup Optimizer
2009-06-19 07:39 34,354 a-------
c:windowssystem32driversNPDRIVER.SYS
2009-06-19 07:38 31,744 a-------
c:windowssystem32S32STAT.DLL
2009-06-19 07:38 182,784 a-------
c:windowssystem32ddao35.dll
2009-06-19 07:38 13,792 a-------
c:windowssystem32driversqdfsdrv.sys
2009-06-19 07:38 86,016 a-------
c:windowssystem32apitrap.dll
2009-06-19 07:38 94,208 a-------
c:windowssystem32qdcsinet.dll
2009-06-19 07:36 120,379 a-------
c:windowssystem32SYMEVNT.386
2009-06-19 07:36 57,696 a-------
c:windowssystem32driversSYMEVENT.SYS
2009-06-19 07:36 36,864 a-------
c:windowssystem32S32EVNT1.DLL
2009-06-19 07:36 4,032 a-------
c:windowssystem32SYMEVNT1.DLL
2009-06-19 07:16 591,660 a-------
c:windows_detmp.1
2009-06-19 07:16 128,000 a-------
c:windows_detmp.2
Find3M
2009-07-17 14:09 0 a-------
c:windowssystem32driverslvuvc.hs
2009-07-17 14:09 0 a-------
c:windowssystem32driverslogiflt.iad
2009-06-30 15:09 53,854 a-------
c:windowssystem32nvModes.dat
2009-06-23 01:13 9,728 ---sh---
c:program filesThumbs.db
2009-06-17 23:22 40,960 a-------
c:windowssystem32sys.dat
2009-05-01 17:02 90,112 a-------
c:windowssystem32dpl100.dll
2009-05-01 17:02 823,296 a-------
c:windowssystem32divx_xx0c.dll
2009-05-01 17:02 823,296 a-------
c:windowssystem32divx_xx07.dll
2009-05-01 17:02 815,104 a-------
c:windowssystem32divx_xx0a.dll
2009-05-01 17:02 811,008 a-------
c:windowssystem32divx_xx16.dll
2009-05-01 17:02 802,816 a-------
c:windowssystem32divx_xx11.dll
2009-05-01 17:02 685,056 a-------
c:windowssystem32DivX.dll
2009-04-15 19:52 109,560 --------
c:docume~1pnjapplic~1GDIPFONTCACHEV1.DA
T
2008-12-09 12:31 61,224 --------
c:documents and
settingspnjGoToAssistDownloadHelper.exe
2007-10-02 17:07 56,912 --------
c:documents and settingspnjg2mdlhlpx.exe
2007-08-15 17:20 784 --------
c:docume~1pnjapplic~1mpauth.dat
2006-09-25 10:06 251 --------
c:program fileswt3d.ini
2006-09-04 15:40 0 --------
c:docume~1pnjapplic~1Install.dat
2006-03-26 15:49 2,748,058
-------- c:program
files6255i_Manual.pdf
2005-12-29 17:06 56 ---shr--
c:windowssystem3293D8BBD9C6.sys
2007-08-08 19:12 56 ---shr--
c:windowssystem32DA9627613C.sys
2007-08-08 19:12 4,182 a--sh---
c:windowssystem32KGyGaAvL.sys
2007-12-12 19:08 16,384 a--sh---
c:windowstempcookiesindex.dat
2007-12-12 19:08 16,384 a--sh---
c:windowstemphistoryhistory.ie5index.d
at
2007-12-12 19:08 32,768 a--sh---
c:windowstemptemporary internet
filescontent.ie5index.dat
FINISH: 0:34:23.45