siszyd32.exe

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.

2 Pages
1
2
→

You cannot start a new topic
This topic is locked

siszyd32.exe Persistent infection

#1 Ellinas

New Member

Group: Members
Posts: 10
Joined: 22-December 09
Gender:Male
Location:Wales

Posted 22 December 2009 - 12:02 PM

Good evening.

I'm hoping that someone here will be able to help with this. Please be aware that I know very little of computers, so if any reply does give guidance, please use "noddy language" even down to which combination of keys to press- I'm unlikely to understand it otherwise.

I hope this is the correct forum.

Yesterday, I noticed that there seemed to be a constant stream of data through my internet connection even when I was doing nothing to cause it.

I have F-Secure Blacklight on my computer, which I ran as a detection facility. It identified siszyd32.exe as a hidden process.

I have today got rid of a number of trojans via my antivirus (AVG Free) and through A-Squared. I've also managed to delete the siszyd32.exe file with Freefixer.

The constant stream of data continues, so obviously something is till not right.

Any suggestions, please?

Thanks.

E.

This post has been edited by Ellinas: 22 December 2009 - 12:04 PM

#2 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 22 December 2009 - 03:03 PM

Hello and welcome.. hopefully this will be easy to follow and work.
If A Squared is also an antivirus you should disable it. Running more than one AV together will cause problems.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet.
Double-click on mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:
- Update Malwarebytes' Anti-Malware
- Launch Malwarebytes' Anti-Malware
Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

Make sure the "Perform Quick Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

Click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post logs and Let us know how the PC is running now.

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#3 Ellinas

New Member

Group: Members
Posts: 10
Joined: 22-December 09
Gender:Male
Location:Wales

Posted 24 December 2009 - 08:19 AM

Hello again.

Thanks for that advice.

I suppose I should have mentioned in my previous post that I'm running Windows X.P. with Service Pack 3, with Windows Firewall (though I'm considering trying Zonealarm)

My internet connection now appears to be behaving more normally, so it seems like Malwarebytes may have cured the problem.

Anyhow, dealing with this in order:

A-squared is an antivirus and antispyware, but, in its' free form, it is purely an on-demand scanner; I assume, therefore, that it is inert unless I activate it. I've not noticed any apparent conflict with A.V.G.

I scanned with MBAM as instructed. It found two items, deleted one immediately, and the other on re-boot. I then re-scanned, but it again found one item; it occurred to me to turn off System Restore. The item found was the same as the one found in the first scan to be deleted on reboot. I rebooted again and the third scan was clear.

Therefore there are 3 MBAM logs, as follows (I've replaced my name as it appears in the first log with the words "name-edit"):

First log:

Malwarebytes' Anti-Malware 1.42
Database version: 3415
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 17:59:49
mbam-log-2009-12-23 (17-59-49).txt

Scan type: Quick Scan
Objects scanned: 144271
Time elapsed: 1 hour(s), 42 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\kybkz.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\name-edit\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.

Second log:

Malwarebytes' Anti-Malware 1.42
Database version: 3415
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 19:35:17
mbam-log-2009-12-23 (19-35-17).txt

Scan type: Quick Scan
Objects scanned: 144207
Time elapsed: 1 hour(s), 30 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\kybkz.sys (Rootkit.Agent) -> Delete on reboot.

Third log:

Malwarebytes' Anti-Malware 1.42
Database version: 3415
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 20:59:20
mbam-log-2009-12-23 (20-59-20).txt

Scan type: Quick Scan
Objects scanned: 144226
Time elapsed: 1 hour(s), 21 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I re-started "System Restore" prior to proceeding with ATF and Super.

ATF removed a fair amount of... whatever it was...

Super has found no infection. I took your post to mean that I should "complete scan" purely with "Close browsers before scanning", "Scan for tracking cookies", and "Terminate memory threats before quarantining" checked, and therefore I unchecked everything else.

The "Super" log is as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/24/2009 at 12:31 PM

Application Version : 4.32.1000

Core Rules Database Version : 4407
Trace Rules Database Version: 2240

Scan type : Complete Scan
Total Scan Time : 02:31:06

Memory items scanned : 234
Memory threats detected : 0
Registry items scanned : 5010
Registry threats detected : 0
File items scanned : 73899
File threats detected : 0

I hope that this makes sense.

Thanks again.

#4 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 24 December 2009 - 02:18 PM

He;;o,yes that is what I meant.
Scanning Control options allow you to customize the way SUPERAntiSpyware scans your computer as well as manage Allowed Items and Excluded Folders.

The instructions for scan settings are those we provide to folks asking for help with infected systems and not general scanning. The 3 settings which are recommend for using Direct Access (checked by default) are there to help find malware which attempts to hide itself from the operating system or the scanning engine. However, if enabled, these options can cause the scan to stall, hang or result in a BSOD. Unchecking them helps to ensure that does not occur. The setting for Resolve Links/Shortcuts during scan using the MSI API can also cause locks ups or hangs during the scan on some systems so its best to uncheck it.

Closing all browsers before scanning is recommended because leaveing it open can result in the inability to remove files that may be in use or the installation of additional malware. When disinfecting a system, we also want to scan all files not just known file types to ensure "trace" malicious files with other extensions are found and removed. Same reason applies for unchecking ignore System Restore/Volume Info, large and non-executable files. Malware can hide anywhere so why limit the search. The main drawback for doing this is that the scan will take longer to complete. SUPERAntispyware includes a help file in its program folder which you can refer to for more information about each scanning option.

Let's just check for Rootkits while you are here.

We Need to check for Rootkits with RootRepeal

Download RootRepeal from the following location and save it to your desktop.
- Direct Download (Recommended)
- Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

This post has been edited by boopme: 26 December 2009 - 04:18 PM

#5 Ellinas

New Member

Group: Members
Posts: 10
Joined: 22-December 09
Gender:Male
Location:Wales

Posted 25 December 2009 - 05:45 AM

Thanks.

Is your comment "Let's just check for Rootkits while you are here" a vestige from a cut and paste, or is there something else you think I should do that is not included in your post?

#6 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 25 December 2009 - 10:07 PM

It means after looking at your logs you look goo. But I would like to check for rootkits while we have you here instead of just letting you go on and still have an unrevealed infection.

#7 Ellinas

New Member

Group: Members
Posts: 10
Joined: 22-December 09
Gender:Male
Location:Wales

Posted 26 December 2009 - 05:31 AM

Fine - but how precisely?

Unless I'm misreading something, there's no indication of how I should check this. The second part of your post looks like a repeat of the first.

#8 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 26 December 2009 - 04:19 PM

Hello.. don't know how I did that but now I've edited the post with proper instructions... very sorry.

#9 Ellinas

New Member

Group: Members
Posts: 10
Joined: 22-December 09
Gender:Male
Location:Wales

Posted 27 December 2009 - 10:05 AM

No problem - I'm just glad that it was not me that was going mad!!!

Right, I've followed the instructions. I wasn't sure what all those "mirrors" were, but having experimented, I assume that they are all different paths to the same programme.

When I clicked on the desktop icon, a message came up saying "Error - invalid PE image found"

I deleted the file, re-downloaded and tried again with the same result. So this time I ignored it and carried out the scan as instructed.

It appeared to work.

I assume that this programme is a more powerful version of the "Blacklight" type of programme which I keep for periodic rootkit checks. Blacklight was clear after I got rid of the siszyd32.exe file itself - though I run it in a mode that is meant to minimize false positives, so may not be the most thorough scan

Anyhow, here's the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/27 14:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF47A3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B6A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3440000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\$avg\$chjw\7fda1625-a067-4fbf-b3ca-9e0ee902242a
Status: Size mismatch (API: 403628, Raw: 374348)

Path: c:\$avg\$chjw\c710442f-cc07-42ee-9363-6ae3bb9b3468
Status: Size mismatch (API: 933028, Raw: 912228)

Path: c:\windows\temp\1d9c2e3a-fd6f-4699-9b24-511fe3829384.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\windows\temp\e301a37a-aa2d-4dd3-9262-75a4d053235b.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf4c360b0

==EOF==

Casting my inexpert eye through this I can see apparent references to A.V.G., which is my antivirus/antispyware, and to Superantispyware - which is still installed on my system, as is all the other software you've asked me to use.

I am aware of the need to approach rootkit removal with caution if I don't want to turn my computer into a doorstop (which I don't!). If you need to know anything about the system in order to interpret the report, let me know.

Thanks for your help.

#10 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 27 December 2009 - 02:53 PM

OK, good we are clean.. The mirrors are in case a link wont work. As you surmised they just download from different locations.
You can remove all tools we;ve used . Tho' I recommened keeping malraebytes and update and scan often.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

Go to Start > Programs > Accessories > System Tools and click "System Restore".
Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

Then use Disk Cleanup to remove all but the most recently created Restore Point.
Go to Start > Run and type: Cleanmgr
Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
Click the "More Options" tab, then click the "Clean up" button under System Restore.
Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
Click Yes, then click Ok.
Click Yes again when prompted with "Are you sure you want to perform these actions?"
Disk Cleanup will remove the files and close automatically.

Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

#11 Ellinas

New Member

Group: Members
Posts: 10
Joined: 22-December 09
Gender:Male
Location:Wales

Posted 28 December 2009 - 09:23 AM

Thankyou very much for your time and help. I'll be back should any further problems arise!

#12 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 28 December 2009 - 11:38 AM

You're most welcome,as new malware is getting stronger and harder to remove, please take a moment to read quietman7's excellent prevention tips in post 3 here
Click >>>> Tips to protect yourself against malware and reduce the potential for re-infection:

#13 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 02 January 2010 - 06:23 AM

Hello - sorry for butting in on this thread, but I started off with the same "siszyd32.exe" problem, and have followed all the instructions posted here (thanks very much for those !). I was hoping someone could help me out with the results of my last scan.

I've got to the RootRepeal scan part, and think my log looks a bit more sinister than the one from Ellinas (particularly the stealth files part where it looks to my untrained eye that my system is well and truely ******.). I'll paste the logfile here. Is this recoverable or should I get the factory restore CD out ?

I am admin for a scouting website which was hacked & it looks like the way in was through my machine giving access to the ftp username & password that I had saved in the quickconnect list in the ftp client. Hundreds of files on the site had unexpected code in them & looks like my system could be the same?

Here's the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time:		2010/01/02 10:07
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3C33000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A1C000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_PNP9110
Image Path: \Driver\PCI_PNP9110
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6B2B000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: spbz.sys
Image Path: spbz.sys
Address: 0xF72CE000	Size: 1052672	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\drivers\fidbox2.dat
Status: Size mismatch (API: 197408, Raw: 197152)

Path: c:\documents and settings\ronnie & fiona\local settings\temp\perflib_perfdata_127c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40175.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40176.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40559.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40560.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40709.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40717.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40724.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40870.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40906.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40984.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 608)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41010.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41021.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 600)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41037.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41039.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41041.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41049.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41055.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 616)

Path: C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}\chrome\content\overlay.xul
Status: Locked to the Windows API!

SSDT
-------------------
#: 025	Function Name: NtClose
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf78398b0

#: 041	Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf754087e

#: 047	Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8f930

#: 048	Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8faa0

#: 050	Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90540

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90190

#: 053	Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90e20

#: 068	Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8fd60

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "spbz.sys" at address 0xf72edca4

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "spbz.sys" at address 0xf72ee032

#: 097	Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8e2a0

#: 119	Function Name: NtOpenKey
Status: Hooked by "spbz.sys" at address 0xf72cf0c0

#: 122	Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf78398e0

#: 125	Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90370

#: 160	Function Name: NtQueryKey
Status: Hooked by "spbz.sys" at address 0xf72ee10a

#: 173	Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90ad0

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "spbz.sys" at address 0xf72edf8a

#: 206	Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90dd0

#: 213	Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c91150

#: 224	Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c91770

#: 228	Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c95160

#: 237	Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8cec0

#: 247	Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7540bfe

#: 254	Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90d80

#: 255	Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8e600

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3dde0b0

#: 258	Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839a30

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839ad0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x871641f8	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System	Address: 0x86ba7500	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System	Address: 0x871651f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x870021f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System	Address: 0x86b2a1f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System	Address: 0x871d91f8	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System	Address: 0x8704c500	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x871661f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x86baf1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x86baf1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x86baf1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x86baf1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x86baf1f8	Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x86baf1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8700e1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x86b9c1f8	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_CREATE]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_CLOSE]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_READ]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_CLEANUP]
Process: System	Address: 0x866e6500	Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎†⎘̀, IRP_MJ_PNP]
Process: System	Address: 0x866e6500	Size: 121

Shadow SSDT
-------------------
#: 013	Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8e4d0

#: 378	Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8de70

#: 383	Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839450

#: 414	Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf78393c0

#: 416	Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839400

#: 460	Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8dd70

#: 475	Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c91550

#: 476	Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8de20

#: 502	Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8d300

#: 549	Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839340

#: 552	Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c915a0

==EOF==

#14 rocketronnie

Member

Group: Members
Posts: 26
Joined: 02-January 10
Gender:Male
Location:Scotland

Posted 02 January 2010 - 10:12 AM

what about a system restore ? I suspect that this might have started when I installed a car workshop manual that I bought on Ebay (probably a mistake !). I've discovered that some parts of the software installed have been accessing the internet (now blocked by firewall , but weren't before), and am suspicous that there might have been some malware involved. I could system restore to before that installation & rerun RootRepeal scan ?

C:\Program Files\cosids\Apache Group\Apache\ApchT2kW.exe and
C:\Program Files\cosids\bin\tbmux32.exe are the processes that I am worried about. They were part of the manual CD. I see no reason why the should need network assess, but the "apache" one is still trying.

Just tried running the manual with access blocked and its not working (so perhaps it is legitimately needing a network connection, but I have doubts !).

This post has been edited by rocketronnie: 02 January 2010 - 10:15 AM

#15 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 46,295
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 02 January 2010 - 05:34 PM

@rocketronnieI feel the safest way to remove this is with HJT.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.