Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google web search results redirecting to cliccker.cn; ZBOT variant?


  • This topic is locked This topic is locked
12 replies to this topic

#1 skyboy

skyboy

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 03 September 2009 - 07:14 PM

around the 19th of august i got a trojan (at least i think it is, may be some other form of malware) and i've been keeping it at bay so far, but it's getting really annoying as i'm in school now and i can't fight it 24/7 (my mother also doesn't care about it and demands i shut the computer down when i leave, so who knows what it changes while she's on it playing freecell)

there was an SDRA64.exe in my sys32 dir, but that's no longer appearing, instead i get randomly named programs in my windows temp dir attempting to access the internet or other programs, so the virus is still on my computer, possibly as a dll loaded by one of the god knows how many services windows uses but i'm not having any luck finding the last bits of it. dfrag.msc can't defrag my NTFS partition either, but the FAT partition it can do just fine; i also have autochk (no idea if this is the virus or windows boot version of chkdsk) running at boot and telling me it can't check my C: (NTFS) partition because it's formatted as RAW, which makes no sense; any and all help is appreciated, i will provide more info if it is required.

in addition my computer crashed this morning, no blue screen, it sounded almost as though it shut down but some of the hardware kept working, but there was no more windows but the monitor stayed on and the tower's light kept burning, i have no idea what this was about... this thing appears to be getting worse. to clarify, if the previous wasn't, the windows OS went down, errorlessly, and my hard drive/fan shut down but the CPU and graphics chip (probably most everything else as well) kept running, i have never had this happen before, and i have never seen anything like it, nor read anything about it on Windows XP; but it does sound much like what windows 95 does when you select shut down, so it would not be impossible

i can't use any microsoft services specific to IE either, trying to access them with IE 8 results in it crashing multiple times; and with IE6 it doesn't install the update i require to actually use the service and exits with error code 0x8007041D; according to microsoft this is caused by NOD32 AV, but i do not, and have not ever had this on my computer. i'm getting desperate for help because i can not afford a new computer; reinstalling windows isn't an option because i can't back anything up and i need most of what's on my computer, and i do not have the space i need to back it up

thank you
~skyboy


## Stats ##
@General
Platform: Windows XP Home SP2 (WinNT 5.01.2600)
RAM: 1GB DDR x2
CPU: 2.70 GHz Intel Celeron, single core
Make: Hewlett-Packard pavillion a400n
Age: 6 going on 7 years
Intergrated graphics chip
@Browsers
Firefox: v3.0.13 && v3.5.2
Opera: v9.24.8816
Netscape: v9.0.0.6
Internet Explorer: v8.00.6001.18702 at time of infection, recently downgraded to v6.0.2900.2180.xpsp_sp2_gdr.070227-2254
@Anti-Virus
ZoneAlarm (Internet Security Suite): v7.0.408.000
Malwarebytes: v1.40
HijackThis: v2.0.2
@OTHER
Apache: v2.2.9
PHP: v5.3.0
## /Stats ##


## Logs ##

@HijackThis logs
(before shutting down everything not needed)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:08 PM, on 2/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Live\Messenger8.5\msnmsgr.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Apache\bin\httpd.exe
C:\Program Files\RBTray\RBTray.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\taskmgr.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 1936 bytes
(after)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:52 PM, on 2/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\Program Files\Windows Live\Messenger8.5\msnmsgr.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Apache\bin\httpd.exe
C:\Program Files\RBTray\RBTray.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\Program Files\Macromedia\Flash 8\Flash.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner3\Desktop\ProcessExplorer\procexp.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 2071 bytes

@Malwarebytes' logs
Malwarebytes' Anti-Malware 1.40
Database version: 2706
Windows 5.1.2600 Service Pack 2

2/09/2009 6:37:54 PM
mbam-log-2009-09-02 (18-37-54).txt

Scan type: Quick Scan
Objects scanned: 152761
Time elapsed: 24 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\ijlkqycrfx.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Install.exe (Trojan.Agent) -> Not selected for removal.
(Install.exe is an installer for a program i made for my girlfriend - false positive probably due to the lack of user confirmation before creating the files and registry settings (one of which is in Run))

Malwarebytes' Anti-Malware 1.40
Database version: 2659
Windows 5.1.2600 Service Pack 2

19/08/2009 7:21:08 PM
mbam-log-2009-08-19 (19-21-08).txt

Scan type: Quick Scan
Objects scanned: 140892
Time elapsed: 29 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\Iasv32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netskt (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ias (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\netskt.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Iasv32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.40
Database version: 2670
Windows 5.1.2600 Service Pack 2

22/08/2009 9:39:58 AM
mbam-log-2009-08-22 (09-39-58).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 375355
Time elapsed: 9 hour(s), 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\Systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.40
Database version: 2685
Windows 5.1.2600 Service Pack 2

27/08/2009 3:09:02 PM
mbam-log-2009-08-27 (15-09-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 392257
Time elapsed: 5 hour(s), 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Install.exe (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
@ComboFix
combo fix crashes and restarts my pc without doing anything, otherwise it's log would be here; it also tells me i have bit defender running when i do not, nor is it even installed.

@FireWall
my firewall detected and stopped a series of attempts to connect to what it marks as spy sites(too fast to see what the attempts were), if it's log were intact i would include that, but it's been erased; and it can not scan from the context menu (ZoneAlarm Internet Security Suite)
## /Logs ##

BC AdBot (Login to Remove)

 


#2 skyboy

skyboy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 07 September 2009 - 08:43 AM

since there is no edit button (stupid idea to remove editing after a moderator edits a post, really), could a moderator remove my above post (#1412196)

and i've figured out where it is hiding, but i can't remove it and my scanners still can't pick it up; every time windows automatic updates starts, the virus comes with it, or it has taken it host, so i can't safely get rid of it on my own and i can't update my computer to fix existing security holes

latest HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:27 AM, on 7/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\WhatPulse\WhatPulse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RBTray\RBTray.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUMENTS AND SETTINGS\OWNER3\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE
C:\Apache\bin\ApacheMonitor.exe
C:\Program Files\Windows Live\Messenger8.5\msnmsgr.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Mozilla Firefox 3\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Owner3\LOCALS~1\Temp\svchost.exe
O4 - Startup: ActionsPanel.txt
O4 - Startup: Monitor Apache Servers.lnk = C:\Apache\bin\ApacheMonitor.exe
O4 - Startup: youtubevids.txt
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252018260031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252018711343
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

--
End of file - 2497 bytes

items 1, 3, 4, 8, 9, 10 and 11 are not going to continue to exist beyond this post

edit:

malwarebyte's log:
Malwarebytes' Anti-Malware 1.40
Database version: 2751
Windows 5.1.2600 Service Pack 2

7/09/2009 10:59:07 AM
mbam-log-2009-09-07 (10-59-07).txt

Scan type: Quick Scan
Objects scanned: 9032
Time elapsed: 11 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\kbiwkmdkwyrjem.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\kbiwkmfvumyodq.dll (Trojan.TDSS) -> Delete on reboot.
c:\WINDOWS\system32\netsdk.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\drivers\kbiwkmxfientkw.sys (Trojan.TDSS) -> Delete on reboot.

Malwarebytes' Anti-Malware 1.40
Database version: 2751
Windows 5.1.2600 Service Pack 2

7/09/2009 11:36:01 AM
mbam-log-2009-09-07 (11-36-01).txt

Scan type: Quick Scan
Objects scanned: 154688
Time elapsed: 22 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uacd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\uacd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uacd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\netsdk (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kbiwkmdkwyrjem.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmfvumyodq.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\kbiwkmxfientkw.sys (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\sp.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC604e.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC88ee.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UAC9998.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa158.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa2cf.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa7ff.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACa84d.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ppc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Install.exe (Trojan.Agent) -> Not selected for removal.
C:\WINDOWS\system32\drivers\UACbjomuklnkv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACbjtpelwowx.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACcvmbpnxtnw.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACesiuyabwex.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACewftypeybx.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACnggdibivxs.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACobvvvagxwm.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACorcrdpkpfj.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACrsswsxjkom.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxsivbvpwbi.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner3\Local Settings\Temp\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner3\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ueja73hkjd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmavunpsxo.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmerntkask.dat (Rootkit.TDSS) -> Delete on reboot.

i'm going to proceed to remove the Trojan.TDSS files from memory and delete them before a reboot however

Edited by skyboy, 07 September 2009 - 10:34 AM.


#3 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:09:30 PM

Posted 20 September 2009 - 02:53 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#4 skyboy

skyboy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 26 September 2009 - 02:30 PM

i appear to be having no issues, but there are items in the dds logs that make me suspicious, they're probably remnants though. i managed to kill the active part of the virus using a linux licecd and fix the chkdsk utility marking my ntfs drive as raw. everything works now, and i haven't seen any issues for a few weeks now.

DDS (Ver_09-09-24.01) - NTFSx86  
Run by Owner3 at 14:56:13.42 on Sat 26/09/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition  5.1.2600.2.1252.61.1033.18.2039.1337 [GMT -4:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Outdated)   {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated)   {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled*   {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apache\bin\httpd.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Apache\bin\httpd.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\WhatPulse\WhatPulse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apache\bin\ApacheMonitor.exe
C:\Program Files\RBTray\RBTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\DOCUMENTS AND SETTINGS\OWNER3\DESKTOP\PROCESSEXPLORER\PROCEXP.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner3\My Documents\Downloads\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
mDefault_Page_URL = hxxp://us10.hpwis.com/
mDefault_Search_URL = hxxp://srch-us10.hpwis.com/
mSearch Page = hxxp://srch-us10.hpwis.com/
mStart Page = hxxp://us10.hpwis.com/
mSearch Bar = hxxp://srch-us10.hpwis.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
TB: {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - No File
EB: hp view: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [WhatPulse] c:\program files\whatpulse\WhatPulse.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger8.5\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis\HijackThis.exe /startupscan
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [LTMSG] LTMSG.exe 7
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\docume~1\owner3\startm~1\programs\startup\monito~1.lnk - c:\apache\bin\ApacheMonitor.exe
StartupFolder: c:\docume~1\owner3\startm~1\programs\startup\rbtray.lnk - c:\program files\rbtray\RBTray.exe
StartupFolder: c:\docume~1\owner3\startm~1\programs\startup\shortc~1.lnk - c:\program files\mozilla firefox 3\firefox.exe
StartupFolder: c:\docume~1\owner3\startm~1\programs\startup\winamp.lnk - c:\program files\winamp\winamp.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: SpSubLSP.dll
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner3\applic~1\mozilla\firefox\profiles\w0wc6hsw.empty-ff3\
FF - plugin: c:\documents and settings\owner3\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-2-18 365448]
R2 Apache2.2;Apache2.2;c:\apache\bin\httpd.exe [2008-6-16 24635]
R2 HamachiService;Hamachi Service;c:\program files\hamachi\hamachi.exe [2008-7-20 625952]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S?1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-9-15 150544]
S3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2003-11-5 14336]
S3 hMailServer;hMailServer;c:\program files\hmailserver\bin\hmailserver.exe runasservice --> c:\program files\hmailserver\bin\hMailServer.exe RunAsService [?]
S3 hMailServerMySQL;hMailServerMySQL;c:\program files\hmailserver\mysql\bin\mysqld-nt.exe [2008-7-22 3530752]

=============== Created Last 30 ================

2009-09-26 01:17	<DIR>	-cd-----	c:\docume~1\owner3\applic~1\KodakCredentialStore
2009-09-20 01:47	4,597	ac------	c:\windows\system32\dhcp.mib
2009-09-20 01:47	16,617	ac------	c:\windows\system32\authserv.mib
2009-09-20 01:47	15,597	ac------	c:\windows\system32\accserv.mib
2009-09-15 15:27	<DIR>	-cd-----	c:\docume~1\owner3\applic~1\Skinux
2009-09-15 15:15	1,221,512	ac------	c:\windows\system32\zpeng25.dll
2009-09-15 15:07	713,216	-c------	c:\windows\system32\dllcache\sxs.dll
2009-09-15 09:03	<DIR>	-cd-----	c:\program files\Kodak
2009-09-08 15:41	<DIR>	-cd-----	c:\program files\Spybot - Search & Destroy
2009-09-08 15:41	<DIR>	-cd-----	c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-03 18:52	23,576	ac------	c:\windows\system32\wuapi.dll.mui
2009-09-02 20:32	2,871	ac------	C:\Key Frequencies.xml
2009-08-31 03:53	30,720	ac------	c:\windows\system32\B40750EF1C79949C.exe
2009-08-30 12:45	<DIR>	-cds----	C:\ComboFix
2009-08-30 12:45	388,608	ac------	c:\windows\system32\CF13940.exe
2009-08-30 11:51	229,376	ac------	c:\windows\PEV.exe
2009-08-30 11:51	161,792	ac------	c:\windows\SWREG.exe
2009-08-30 11:51	98,816	ac------	c:\windows\sed.exe
2009-08-30 11:50	388,608	ac------	c:\windows\system32\CF1142.exe
2009-08-28 22:22	6,341,717	ac------	C:\Python22.rar

==================== Find3M  ====================

2009-09-26 14:57	90,159,136	ac-sh---	c:\windows\system32\drivers\fidbox.dat
2009-09-25 10:26	1,142,276	ac-sh---	c:\windows\system32\drivers\fidbox.idx
2009-09-15 15:24	4,212	a---h---	c:\windows\system32\zllictbl.dat
2009-08-26 20:31	261,747	ac------	C:\NaomiUninstall.exe
2009-08-26 19:44	785,801	ac------	C:\Install.exe
2009-08-26 19:43	262,389	ac------	C:\NaomiAlert.exe
2009-08-26 19:16	260,983	ac------	C:\test.exe
2009-08-25 22:59	261,203	ac------	C:\test2.exe
2009-08-14 02:43	77,374,265	ac------	c:\program files\Macromedia.rar
2009-08-07 12:12	410,984	ac------	c:\windows\system32\deploytk.dll
2009-08-03 13:36	38,160	ac------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36	19,096	ac------	c:\windows\system32\drivers\mbam.sys
2008-01-02 15:03	0	ac-sh---	c:\windows\sminst\HPCD.sys
2006-05-03 05:06	163,328	ac-shr--	c:\windows\system32\flvDX.dll
2007-02-21 06:47	31,232	-c-shr--	c:\windows\system32\msfDX.dll
2008-03-16 08:30	216,064	-c-shr--	c:\windows\system32\nbDX.dll

============= FINISH: 15:00:02.00 ===============

i don't understand why it's saying i have bitdefender, or saying my firewall/av is disabled when they are enabled and running. i do now know what motherboard i have though, so at least one good thing came of this, and or some odd reason, my CPU is overclocked to 2703MHz from 2700MHz, but this must have been from some time ago because it's effect is subtle and my clock is 4 min fast, i'd change it back but i want to see how long it takes to get to an hour fast

Attached Files



#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:30 PM

Posted 02 October 2009 - 05:36 PM

Hi skyboy,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#6 skyboy

skyboy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 03 October 2009 - 02:21 PM

i can't guarantee that firefox won't get updated during the process, and i'd prefer to stay up-to-date with it's security fixes to avoid potentially serious issues. however, the browser itself (of which there are two copies, 3.0.14 and 3.5.3) isn't the issue nor harbors the issue, but was subject to the issue at one point

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:30 PM

Posted 03 October 2009 - 02:38 PM

Hi skyboy,

There's a lot of logs here but from what I can see MBAM has slowly picked off the trojans that were infecting your machine.

What you haven't done though is checked for rootkits.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location

  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
If this is clean (probably is) then we can give final instructions and you can ask any questions you might have (like why BitDefender is showing) :(
Posted Image
m0le is a proud member of UNITE

#8 skyboy

skyboy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 04 October 2009 - 10:33 AM

ROOTREPEAL (c) AD, 2007-2009

==================================================

Scan Start Time:		2009/10/04 10:35

Program Version:		Version 1.3.5.0

Windows Version:		Windows XP SP2

==================================================



Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA52CA000	Size: 98304	File Visible: No	Signed: -

Status: -



Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xF79A3000	Size: 8192	File Visible: No	Signed: -

Status: -



Name: giveio.sys

Image Path: giveio.sys

Address: 0xF7A4F000	Size: 1664	File Visible: No	Signed: -

Status: -



Name: PCI_PNP9850

Image Path: \Driver\PCI_PNP9850

Address: 0x00000000	Size: 0	File Visible: No	Signed: -

Status: -



Name: PROCEXP113.SYS

Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS

Address: 0xA6B2F000	Size: 7872	File Visible: No	Signed: -

Status: -



Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xAD0C2000	Size: 49152	File Visible: No	Signed: -

Status: -



Name: speedfan.sys

Image Path: speedfan.sys

Address: 0xF798D000	Size: 5248	File Visible: No	Signed: -

Status: -



Name: spsp.sys

Image Path: spsp.sys

Address: 0xF74D6000	Size: 1048576	File Visible: No	Signed: -

Status: -



Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000	Size: 0	File Visible: No	Signed: -

Status: -



Name: srescan.sys

Image Path: srescan.sys

Address: 0xF7B11000	Size: 81920	File Visible: No	Signed: -

Status: -



Hidden/Locked Files

-------------------

Path: C:\hiberfil.sys

Status: Locked to the Windows API!



Path: C:\RCT-D.iso:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.



Path: C:\RCT2-WW.iso:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.



Path: C:\RCT2.iso:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.



Path: C:\RECYCLER\S-1-5-21-4019190151-2164246183-1317169341-1003\multi.mix

Status: Locked to the Windows API!



Path: C:\RECYCLER\S-1-5-21-4019190151-2164246183-1317169341-1003\ra2.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc320.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc339.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc316.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc318.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc347.exe

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc325.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc332.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc345.ini

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc348.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc349.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc321.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc322.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc350.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc323.exe

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc324.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc326.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\gamemd.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.



Path: C:\Westwood\RA2\Dc327.shp

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc328.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc329.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc330.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc331.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc351.ini

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc353.ini

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc354.bik

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc333.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc334.ini

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc335.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc341.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc342.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc343.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc344.exe

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc336.wav

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc337.mix

Status: Locked to the Windows API!



Path: C:\Westwood\RA2\Dc315.mix

Status: Locked to the Windows API!



Path: C:\Documents and Settings\Owner3\Desktop\flashplayer_10_plugin_debug.exe:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}

Status: Visible to the Windows API, but not on disk.



Path: c:\documents and settings\owner2\local settings\temp\~df26f2.tmp

Status: Allocation size mismatch (API: 8192, Raw: 0)



Path: c:\documents and settings\owner3\local settings\temp\~df721b.tmp

Status: Allocation size mismatch (API: 245760, Raw: 196608)



Path: c:\documents and settings\owner3\local settings\temp\~dfebbd.tmp

Status: Allocation size mismatch (API: 4096, Raw: 0)



Path: c:\documents and settings\owner3\local settings\temp\~df2463.tmp

Status: Allocation size mismatch (API: 45056, Raw: 20480)



Path: c:\documents and settings\owner3\local settings\history\history.ie5\mshist012009092120090928\index.dat

Status: Allocation size mismatch (API: 8192, Raw: 4096)



Path: C:\Documents and Settings\Owner3\Application Data\Mozilla\Firefox\Profiles\w0wc6hsw.Empty-FF3\sessionstore.js

Status: Could not get file information (Error 0xc0000008)



Path: c:\documents and settings\owner3\local settings\application data\mozilla\firefox\profiles\cxemftjd.hgfhgfdf\urlclassifier3.sqlite

Status: Allocation size mismatch (API: 20340736, Raw: 17891328)



Path: c:\documents and settings\owner3\local settings\application data\mozilla\firefox\profiles\cxemftjd.hgfhgfdf\xul.mfl

Status: Allocation size mismatch (API: 2002944, Raw: 2252800)



Path: c:\documents and settings\owner3\local settings\application data\mozilla\firefox\profiles\w0wc6hsw.empty-ff3\urlclassifier3.sqlite

Status: Allocation size mismatch (API: 19197952, Raw: 19156992)



Path: C:\Documents and Settings\Owner3\Local Settings\Apps\2.0\EG0LBYZR.CEY\67P7V319.PPT\manifests\ActiproSoftware.Shared.WPF30.manifest

Status: Locked to the Windows API!



Path: C:\Documents and Settings\Owner3\Local Settings\Apps\2.0\EG0LBYZR.CEY\67P7V319.PPT\manifests\ActiproSoftware.Ribbon.WPF30.manifest

Status: Locked to the Windows API!



Path: C:\Documents and Settings\Owner3\Local Settings\Apps\2.0\EG0LBYZR.CEY\67P7V319.PPT\manifests\VectorStudio.exe.manifest

Status: Locked to the Windows API!



Path: C:\Documents and Settings\Owner3\Local Settings\Apps\2.0\EG0LBYZR.CEY\67P7V319.PPT\manifests\VectorStudio.exe.manifest

Status: Locked to the Windows API!



Path: c:\programs\cygwin\usr\share\ri\1.8\system\iconv\invalidencoding\cdesc-invalidencoding.yaml

Status: Allocation size mismatch (API: 360, Raw: 10133099161583976)



Path: c:\documents and settings\owner3\local settings\application data\mozilla\firefox\profiles\w0wc6hsw.empty-ff3\cache\_cache_001_

Status: Allocation size mismatch (API: 983040, Raw: 843776)



Path: c:\documents and settings\owner3\local settings\application data\mozilla\firefox\profiles\w0wc6hsw.empty-ff3\cache\_cache_002_

Status: Allocation size mismatch (API: 1716224, Raw: 1601536)



Path: c:\documents and settings\owner3\local settings\application data\mozilla\firefox\profiles\w0wc6hsw.empty-ff3\cache\_cache_003_

Status: Allocation size mismatch (API: 3555328, Raw: 3239936)



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\kasha4890@gmail.com\DFSR\Staging\CS{DEDA4787-9259-71E1-1FA2-DD0C2B3C5358}\16\16-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\naomi_2976@hotmail.com\DFSR\Staging\CS{11B9E806-033E-0D19-C3D8-04878ECDB5EB}\25\25-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\12\82-{1A~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\36\38-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\37\43-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\41\48-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\42\46-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\47\49-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\50\50-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\51\51-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\52\52-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\53\53-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\54\54-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\55\55-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\56\56-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\57\57-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\58\60-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



Path: C:\Documents and Settings\Owner3\Local Settings\Application Data\Microsoft\Messenger\mr.wraith.06@gmail.com\SharingMetadata\paul.sharp91@hotmail.co.uk\DFSR\Staging\CS{621B8042-8FEB-E0C5-F453-D572D19F524C}\58\75-{7C~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

Status: Visible to the Windows API, but not on disk.



SSDT

-------------------

#: 031	Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad447c30



#: 037	Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad4444f0



#: 041	Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45f090



#: 046	Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad448320



#: 047	Function Name: NtCreateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45c760



#: 048	Function Name: NtCreateProcessEx

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45c970



#: 050	Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad461310



#: 056	Function Name: NtCreateWaitablePort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad448410



#: 062	Function Name: NtDeleteFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad444d20



#: 063	Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45fe90



#: 065	Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45fab0



#: 068	Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45c0e0



#: 071	Function Name: NtEnumerateKey

Status: Hooked by "spsp.sys" at address 0xf74f5ca2



#: 073	Function Name: NtEnumerateValueKey

Status: Hooked by "spsp.sys" at address 0xf74f6030



#: 097	Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad440130



#: 098	Function Name: NtLoadKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad460560



#: 099	Function Name: NtLoadKey2

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad4605e0



#: 108	Function Name: NtMapViewOfSection

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad461590



#: 116	Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad444a80



#: 119	Function Name: NtOpenKey

Status: Hooked by "spsp.sys" at address 0xf74d70c0



#: 122	Function Name: NtOpenProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45e070



#: 128	Function Name: NtOpenThread

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45de30



#: 160	Function Name: NtQueryKey

Status: Hooked by "spsp.sys" at address 0xf74f6108



#: 177	Function Name: NtQueryValueKey

Status: Hooked by "spsp.sys" at address 0xf74f5f88



#: 192	Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad460dd0



#: 193	Function Name: NtReplaceKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad4607a0



#: 200	Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad447840



#: 204	Function Name: NtRestoreKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad460c20



#: 210	Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad447e80



#: 224	Function Name: NtSetInformationFile

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad444f90



#: 240	Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad43fbb0



#: 247	Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45f5c0



#: 255	Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45d0f0



#: 257	Function Name: NtTerminateProcess

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad45cf70



#: 262	Function Name: NtUnloadDriver

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad4403e0



Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System	Address: 0x8a7c31f8	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System	Address: 0x8a3d8368	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_CREATE]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_CLOSE]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_POWER]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: aulcw7f8ȅః扏济0000004fȃ䵃慖, IRP_MJ_PNP]

Process: System	Address: 0x8a3ff500	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System	Address: 0x8a4191f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]

Process: System	Address: 0x89f3f1f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System	Address: 0x8a7541f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]

Process: System	Address: 0x8a5751f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System	Address: 0x8a7c51f8	Size: 121



Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System	Address: 0x8a136500	Size: 121



Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System	Address: 0x8a136500	Size: 121



Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a136500	Size: 121



Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a136500	Size: 121



Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System	Address: 0x8a136500	Size: 121



Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System	Address: 0x8a136500	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_CREATE]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_CLOSE]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_POWER]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: fasttx2k, IRP_MJ_PNP]

Process: System	Address: 0x8a7c41f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System	Address: 0x8a5651f8	Size: 121



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System	Address: 0x89f5a1f8	Size: 121



Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

ProcShadow SSDT

-------------------

#: 460	Function Name: NtUserMessageCall

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad446bd0



#: 475	Function Name: NtUserPostMessage

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad446c70



#: 476	Function Name: NtUserPostThreadMessage

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad446d00



#: 489	Function Name: NtUserRegisterUserApiHook

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad440e20



#: 491	Function Name: NtUserRegisterRawInputDevices

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad445ad0



#: 502	Function Name: NtUserSendInput

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad446ed0



#: 549	Function Name: NtUserSetWindowsHookEx

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad4409c0



#: 552	Function Name: NtUserSetWinEventHook

Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xad440c70



==EOF==


#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:30 PM

Posted 04 October 2009 - 10:37 AM

Nothing doing there either.

Looks clean to me. :(

Any questions?
Posted Image
m0le is a proud member of UNITE

#10 skyboy

skyboy
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 04 October 2009 - 11:32 AM

yeah, why programs think i have bitdefender on my computer/running

edit: and after reviewing the root repeal log, what the
aulcw7f8ȅః扏济0000004fȃ䵃慖
driver is and why it has illegal characters in it's name; it strikes me as being a harmful file

Edited by skyboy, 04 October 2009 - 11:39 AM.


#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:30 PM

Posted 04 October 2009 - 05:00 PM

yeah, why programs think i have bitdefender on my computer/running


It may be that bits of BitDefender still exist on the PC, these programs are designed to find these
files/registry entries. Try this uninstaller


and after reviewing the root repeal log, what the

aulcw7f8ȅః扏济0000004fȃ䵃慖
driver is and why it has illegal characters in it's name; it strikes me as being a harmful file


This is actually a Microsoft driver which uses unicode characters.
Posted Image
m0le is a proud member of UNITE

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:30 PM

Posted 07 October 2009 - 05:47 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:30 PM

Posted 08 October 2009 - 05:40 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users