BleepingComputer.com: Oh my GOD!! I think im infected with a ROOTKIT. PLS HELP!

txnhockey
Jun 18 2009, 01:01 AM
Just to let you all know. I was getting the same problem.
Nothing could burn - Nero, CD BurnXP, etc

Ran AVG Rootkit, it found 2 hidden driver files and renamed them on reboot.
Ran Malwarebytes' Anti-Malware 1.38 and it found 26 infect files associated to the SKYNET Trojan.

Every program burns now, no problems.

Thank god ImgBurn actually has a useful console or I never would have known why my drive was not being seen
eSkRo
Jun 18 2009, 01:48 AM
looks like AVG Anti-Rootkit might be a winner!!!
LIGHTNING UK!
Jun 18 2009, 08:02 AM
That's weird too because it dates back to something like 2007!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/01/2009 at 11:38 AM

Application Version : 4.26.1006

Core Rules Database Version : 3964
Trace Rules Database Version: 1905

Scan type : Complete Scan
Total Scan Time : 00:42:13

Memory items scanned : 211
Memory threats detected : 0
Registry items scanned : 4677
Registry threats detected : 2
File items scanned : 43808
File threats detected : 161

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@5063785319[2].txt
C:\Documents and Settings\user\Cookies\user@scene_flv[1].txt
C:\Documents and Settings\user\Cookies\user@exchange4media[1].txt
C:\Documents and Settings\user\Cookies\user@server.iad.liveperson[2].txt
C:\Documents and Settings\user\Cookies\user@1384282843[2].txt
C:\Documents and Settings\user\Cookies\user@0376844981[2].txt
C:\Documents and Settings\user\Cookies\user@clickpass[2].txt
C:\Documents and Settings\user\Cookies\user@richmedia.yahoo[2].txt
C:\Documents and Settings\user\Cookies\user@ads-dev.youporn[2].txt
C:\Documents and Settings\user\Cookies\user@mhkeehn.tripod[2].txt
C:\Documents and Settings\user\Cookies\user@dngjkolno9g[2].txt
C:\Documents and Settings\user\Cookies\user@kontera[2].txt
C:\Documents and Settings\user\Cookies\user@youporn[1].txt
C:\Documents and Settings\user\Cookies\user@media6degrees[2].txt
C:\Documents and Settings\user\Cookies\user@1331669608[2].txt
C:\Documents and Settings\user\Cookies\user@0gsmw9jmjda[2].txt
C:\Documents and Settings\user\Cookies\user@ero-advertising[1].txt
C:\Documents and Settings\user\Cookies\user@1236659335[2].txt
C:\Documents and Settings\user\Cookies\user@ads1.indiainfo[2].txt
C:\Documents and Settings\user\Cookies\user@fjxx4o1oqlw[2].txt
C:\Documents and Settings\user\Cookies\user@ads.monster[1].txt
C:\Documents and Settings\user\Cookies\user@5243940908[2].txt
C:\Documents and Settings\user\Cookies\user@61xz4prmztz[2].txt
C:\Documents and Settings\user\Cookies\user@webmail.intermedia[2].txt
C:\Documents and Settings\user\Cookies\user@ads.ozonemedia.co[1].txt
C:\Documents and Settings\user\Cookies\user@www.intermedia[2].txt
C:\Documents and Settings\user\Cookies\user@9382965698[2].txt
C:\Documents and Settings\user\Cookies\user@myroitracking[1].txt
C:\Documents and Settings\user\Cookies\user@serving.adsrevenue.clicksor[1].txt
C:\Documents and Settings\user\Cookies\user@delivery[2].txt
C:\Documents and Settings\user\Cookies\user@yadro[2].txt
C:\Documents and Settings\user\Cookies\user@bvztecvxtrg[2].txt
C:\Documents and Settings\user\Cookies\user@7gmqfjibmne[2].txt
C:\Documents and Settings\user\Cookies\user@scene_flv[2].txt
C:\Documents and Settings\user\Cookies\user@djyr2lvqqxo[2].txt
C:\Documents and Settings\user\Cookies\user@2w0uyyswsjv[2].txt
C:\Documents and Settings\user\Cookies\user@socialmedia[1].txt
C:\Documents and Settings\user\Cookies\user@flv[2].txt
C:\Documents and Settings\user\Cookies\user@flv[1].txt
C:\Documents and Settings\user\Cookies\user@532wcadjnbz[2].txt
C:\Documents and Settings\user\Cookies\user@73865167[2].txt
C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
C:\Documents and Settings\LocalService\Cookies\system@ads.ibibo[1].txt
C:\Documents and Settings\LocalService\Cookies\system@adtech[1].txt
.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warez-bb.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.dmtracker.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
adstats.cdfreaks.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ads-dev.youporn.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.adultfriendfinder.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.youporn.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.yadro.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.rambler.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
clicktorrent.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.indextools.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
linkfinders.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.scarleteen.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezscene.org [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
joblist.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www6.addfreestats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.richmedia.yahoo.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
adx.bixee.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ads.crakmedia.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
ad3.clickhype.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
stat.dealtime.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.vip.clickzs.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.pro-market.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediafire.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.banner.kiev.ua [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
servedby.adxpower.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
tracker.conspiracycentral.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
tracker.conspiracycentral.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
warezforum.info [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www7.addfreestats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
s03.flagcounter.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.gostats.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
count.rbc.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.myxer.adbureau.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.wareznet.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.revsci.net [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.ads.ozonemedia.co.in [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
s02.flagcounter.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.mediawebmonster.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
advertisement.netgull.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
www.stopzilla.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.weborama.fr [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.sexyandfunny.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.bravenet.com [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
.medialand.relax.ru [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
audit.median.hu [ C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\zf0uq0p4.default\cookies.txt ]
C:\Documents and Settings\user\Cookies\user@accounts[2].txt
C:\Documents and Settings\user\Cookies\user@ccount[1].txt

Trojan.Unknown Origin
HKU\.DEFAULT\Software\ColdWare
HKU\S-1-5-18\Software\ColdWare

Trojan.Agent/Gen-MSFake
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\TMP53.TMP

I havent actually run the ATF cleaner, just set the options.

Quote

Malware floods temp files with it's crud, I prefer an aggressive cleaning before scans for several reasons

Post that latest MBAM log

MBAM didnt find anything after updating definitions and doing a quick scan.

Here is my quick fix guide to locating and killing the CLB driver(.sys) file that is underpinning the infection and blocking the cleanup tools from running.
.........
You will need to identify which is the CLB driver and here's how.

This is not as difficult as it appears because it will be 1 of (if not) the only file listed with a .sys extension.

It will also carry one of the following prefix's in its filename +random letters+ .sys extension.

Path: C:\AUTORUN.INF\zhengbo.
Status: Locked to the Windows API!

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/01 18:03
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF45BE000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A54000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP7354
Image Path: \Driver\PCI_PNP7354
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEB5A6000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spcf.sys
Image Path: spcf.sys
Address: 0xF72D0000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\AUTORUN.INF\zhengbo.
Status: Locked to the Windows API!

Path: c:\documents and settings\user\application data\utorrent\resume.dat
Status: Size mismatch (API: 139253, Raw: 139199)

Path: C:\Documents and Settings\user\Application Data\uTorrent\resume.dat.old
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47e93bd

#: 041 Function Name: NtCreateKey
Status: Hooked by "spcf.sys" at address 0xf72d10e0

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcf30

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fce60

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spcf.sys" at address 0xf72efca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spcf.sys" at address 0xf72f0032

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcfb0

#: 119 Function Name: NtOpenKey
Status: Hooked by "spcf.sys" at address 0xf72d10c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fc850

#: 160 Function Name: NtQueryKey
Status: Hooked by "spcf.sys" at address 0xf72f010a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spcf.sys" at address 0xf72eff8a

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fd120

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fd260

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf47fcd80

Stealth Objects
-------------------
Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x84bdb1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x84a0d1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x84b6b1f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]
Process: System Address: 0x849541f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x84bdc1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x8433d1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x849f11f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x849f11f8 Size: 121

Hidden Services
-------------------
Service Name: gxvxcserv.sys
Image Path: C:\WINDOWS\system32\drivers\gxvxcrlxbnyltofjwxdpxyvbrfqnsrrirngxn.sys

==EOF==