Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

siszyd32.exe


  • This topic is locked This topic is locked
16 replies to this topic

#1 Ellinas

Ellinas

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:05:48 AM

Posted 22 December 2009 - 12:02 PM

Good evening.

I'm hoping that someone here will be able to help with this. Please be aware that I know very little of computers, so if any reply does give guidance, please use "noddy language" even down to which combination of keys to press- I'm unlikely to understand it otherwise.

I hope this is the correct forum.

Yesterday, I noticed that there seemed to be a constant stream of data through my internet connection even when I was doing nothing to cause it.

I have F-Secure Blacklight on my computer, which I ran as a detection facility. It identified siszyd32.exe as a hidden process.

I have today got rid of a number of trojans via my antivirus (AVG Free) and through A-Squared. I've also managed to delete the siszyd32.exe file with Freefixer.

The constant stream of data continues, so obviously something is till not right.

Any suggestions, please?

Thanks.

E.

Edited by Ellinas, 22 December 2009 - 12:04 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 22 December 2009 - 03:03 PM

Hello and welcome.. hopefully this will be easy to follow and work.
If A Squared is also an antivirus you should disable it. Running more than one AV together will cause problems.

Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


Next run ATF and SAS:

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:05:48 AM

Posted 24 December 2009 - 08:19 AM

Hello again.

Thanks for that advice.

I suppose I should have mentioned in my previous post that I'm running Windows X.P. with Service Pack 3, with Windows Firewall (though I'm considering trying Zonealarm)

My internet connection now appears to be behaving more normally, so it seems like Malwarebytes may have cured the problem.

Anyhow, dealing with this in order:

A-squared is an antivirus and antispyware, but, in its' free form, it is purely an on-demand scanner; I assume, therefore, that it is inert unless I activate it. I've not noticed any apparent conflict with A.V.G.

I scanned with MBAM as instructed. It found two items, deleted one immediately, and the other on re-boot. I then re-scanned, but it again found one item; it occurred to me to turn off System Restore. The item found was the same as the one found in the first scan to be deleted on reboot. I rebooted again and the third scan was clear.

Therefore there are 3 MBAM logs, as follows (I've replaced my name as it appears in the first log with the words "name-edit"):


First log:

Malwarebytes' Anti-Malware 1.42
Database version: 3415
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 17:59:49
mbam-log-2009-12-23 (17-59-49).txt

Scan type: Quick Scan
Objects scanned: 144271
Time elapsed: 1 hour(s), 42 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\kybkz.sys (Rootkit.Agent) -> Delete on reboot.
C:\Documents and Settings\name-edit\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.


Second log:

Malwarebytes' Anti-Malware 1.42
Database version: 3415
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 19:35:17
mbam-log-2009-12-23 (19-35-17).txt

Scan type: Quick Scan
Objects scanned: 144207
Time elapsed: 1 hour(s), 30 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\kybkz.sys (Rootkit.Agent) -> Delete on reboot.


Third log:

Malwarebytes' Anti-Malware 1.42
Database version: 3415
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

23/12/2009 20:59:20
mbam-log-2009-12-23 (20-59-20).txt

Scan type: Quick Scan
Objects scanned: 144226
Time elapsed: 1 hour(s), 21 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I re-started "System Restore" prior to proceeding with ATF and Super.

ATF removed a fair amount of... whatever it was...

Super has found no infection. I took your post to mean that I should "complete scan" purely with "Close browsers before scanning", "Scan for tracking cookies", and "Terminate memory threats before quarantining" checked, and therefore I unchecked everything else.

The "Super" log is as follows:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/24/2009 at 12:31 PM

Application Version : 4.32.1000

Core Rules Database Version : 4407
Trace Rules Database Version: 2240

Scan type : Complete Scan
Total Scan Time : 02:31:06

Memory items scanned : 234
Memory threats detected : 0
Registry items scanned : 5010
Registry threats detected : 0
File items scanned : 73899
File threats detected : 0


I hope that this makes sense.

Thanks again.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 24 December 2009 - 02:18 PM

He;;o,yes that is what I meant.
Scanning Control options allow you to customize the way SUPERAntiSpyware scans your computer as well as manage Allowed Items and Excluded Folders.

The instructions for scan settings are those we provide to folks asking for help with infected systems and not general scanning. The 3 settings which are recommend for using Direct Access (checked by default) are there to help find malware which attempts to hide itself from the operating system or the scanning engine. However, if enabled, these options can cause the scan to stall, hang or result in a BSOD. Unchecking them helps to ensure that does not occur. The setting for Resolve Links/Shortcuts during scan using the MSI API can also cause locks ups or hangs during the scan on some systems so its best to uncheck it.

Closing all browsers before scanning is recommended because leaveing it open can result in the inability to remove files that may be in use or the installation of additional malware. When disinfecting a system, we also want to scan all files not just known file types to ensure "trace" malicious files with other extensions are found and removed. Same reason applies for unchecking ignore System Restore/Volume Info, large and non-executable files. Malware can hide anywhere so why limit the search. The main drawback for doing this is that the scan will take longer to complete. SUPERAntispyware includes a help file in its program folder which you can refer to for more information about each scanning option.

Let's just check for Rootkits while you are here.


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Edited by boopme, 26 December 2009 - 04:18 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:05:48 AM

Posted 25 December 2009 - 05:45 AM

Thanks.

Is your comment "Let's just check for Rootkits while you are here" a vestige from a cut and paste, or is there something else you think I should do that is not included in your post?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 25 December 2009 - 10:07 PM

It means after looking at your logs you look goo. But I would like to check for rootkits while we have you here instead of just letting you go on and still have an unrevealed infection.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:05:48 AM

Posted 26 December 2009 - 05:31 AM

Fine - but how precisely?

Unless I'm misreading something, there's no indication of how I should check this. The second part of your post looks like a repeat of the first.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 26 December 2009 - 04:19 PM

Hello.. don't know how I did that but now I've edited the post with proper instructions... very sorry.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:05:48 AM

Posted 27 December 2009 - 10:05 AM

No problem - I'm just glad that it was not me that was going mad!!!

Right, I've followed the instructions. I wasn't sure what all those "mirrors" were, but having experimented, I assume that they are all different paths to the same programme.

When I clicked on the desktop icon, a message came up saying "Error - invalid PE image found"

I deleted the file, re-downloaded and tried again with the same result. So this time I ignored it and carried out the scan as instructed.

It appeared to work.

I assume that this programme is a more powerful version of the "Blacklight" type of programme which I keep for periodic rootkit checks. Blacklight was clear after I got rid of the siszyd32.exe file itself - though I run it in a mode that is meant to minimize false positives, so may not be the most thorough scan

Anyhow, here's the log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/27 14:26
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF47A3000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B6A000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF3440000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\$avg\$chjw\7fda1625-a067-4fbf-b3ca-9e0ee902242a
Status: Size mismatch (API: 403628, Raw: 374348)

Path: c:\$avg\$chjw\c710442f-cc07-42ee-9363-6ae3bb9b3468
Status: Size mismatch (API: 933028, Raw: 912228)

Path: c:\windows\temp\1d9c2e3a-fd6f-4699-9b24-511fe3829384.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: c:\windows\temp\e301a37a-aa2d-4dd3-9262-75a4d053235b.tmp
Status: Allocation size mismatch (API: 65536, Raw: 0)

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf4c360b0

==EOF==

Casting my inexpert eye through this I can see apparent references to A.V.G., which is my antivirus/antispyware, and to Superantispyware - which is still installed on my system, as is all the other software you've asked me to use.

I am aware of the need to approach rootkit removal with caution if I don't want to turn my computer into a doorstop (which I don't!). If you need to know anything about the system in order to interpret the report, let me know.

Thanks for your help.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 27 December 2009 - 02:53 PM

OK, good we are clean.. The mirrors are in case a link wont work. As you surmised they just download from different locations.
You can remove all tools we;ve used . Tho' I recommened keeping malraebytes and update and scan often.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:05:48 AM

Posted 28 December 2009 - 09:23 AM

Thankyou very much for your time and help. I'll be back should any further problems arise!

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 28 December 2009 - 11:38 AM

You're most welcome,as new malware is getting stronger and harder to remove, please take a moment to read quietman7's excellent prevention tips in post 3 here
Click >>>> Tips to protect yourself against malware and reduce the potential for re-infection:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 rocketronnie

rocketronnie

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:48 AM

Posted 02 January 2010 - 06:23 AM

Hello - sorry for butting in on this thread, but I started off with the same "siszyd32.exe" problem, and have followed all the instructions posted here (thanks very much for those !). I was hoping someone could help me out with the results of my last scan.

I've got to the RootRepeal scan part, and think my log looks a bit more sinister than the one from Ellinas (particularly the stealth files part where it looks to my untrained eye that my system is well and truely ******.). I'll paste the logfile here. Is this recoverable or should I get the factory restore CD out ?

I am admin for a scouting website which was hacked & it looks like the way in was through my machine giving access to the ftp username & password that I had saved in the quickconnect list in the ftp client. Hundreds of files on the site had unexpected code in them & looks like my system could be the same?

Here's the log:

[codebox]ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/01/02 10:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3C33000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A1C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP9110
Image Path: \Driver\PCI_PNP9110
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6B2B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spbz.sys
Image Path: spbz.sys
Address: 0xF72CE000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\windows\system32\drivers\fidbox2.dat
Status: Size mismatch (API: 197408, Raw: 197152)

Path: c:\documents and settings\ronnie & fiona\local settings\temp\perflib_perfdata_127c.dat
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40175.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40176.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40559.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40560.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40709.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40717.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40724.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40870.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40906.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\40984.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 608)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41010.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41021.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 600)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41037.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41039.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41041.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 592)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41049.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 584)

Path: c:\program files\virgin broadband\pcguard\safeconnect\malwareprofile\temp\41055.mpdb
Status: Allocation size mismatch (API: 4096, Raw: 616)

Path: C:\Documents and Settings\Ronnie & Fiona\Local Settings\Application Data\{5E9807C0-FCAD-4DAA-A6AF-A9B5C498D3F1}\chrome\content\overlay.xul
Status: Locked to the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf78398b0

#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf754087e

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8f930

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8faa0

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90540

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90190

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90e20

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8fd60

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spbz.sys" at address 0xf72edca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spbz.sys" at address 0xf72ee032

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8e2a0

#: 119 Function Name: NtOpenKey
Status: Hooked by "spbz.sys" at address 0xf72cf0c0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf78398e0

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90370

#: 160 Function Name: NtQueryKey
Status: Hooked by "spbz.sys" at address 0xf72ee10a

#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90ad0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spbz.sys" at address 0xf72edf8a

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90dd0

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c91150

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c91770

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c95160

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8cec0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7540bfe

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c90d80

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8e600

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys" at address 0xf3dde0b0

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839a30

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839ad0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x871641f8 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]
Process: System Address: 0x86ba7500 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x871651f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x870021f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CREATE]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_CLOSE]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_READ]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_WRITE]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_POWER]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: USBSTOR, IRP_MJ_PNP]
Process: System Address: 0x86b2a1f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System Address: 0x871d91f8 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x8704c500 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x871661f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x86baf1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x86baf1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86baf1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86baf1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x86baf1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x86baf1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8700e1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x86b9c1f8 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_CREATE]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_CLOSE]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_READ]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_SHUTDOWN]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_CLEANUP]
Process: System Address: 0x866e6500 Size: 121

Object: Hidden Code [Driver: Cdfs؅ఒ噎⎘̀, IRP_MJ_PNP]
Process: System Address: 0x866e6500 Size: 121

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8e4d0

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8de70

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839450

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf78393c0

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839400

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8dd70

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c91550

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8de20

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c8d300

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\Program Files\Virgin Broadband\PCguard\SafeConnect\Driver\platform_XP\SafeConnectShim.sys" at address 0xf7839340

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\DRIVERS\klif.sys" at address 0xf3c915a0

==EOF==[/codebox]

#14 rocketronnie

rocketronnie

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:48 AM

Posted 02 January 2010 - 10:12 AM

what about a system restore ? I suspect that this might have started when I installed a car workshop manual that I bought on Ebay (probably a mistake !). I've discovered that some parts of the software installed have been accessing the internet (now blocked by firewall , but weren't before), and am suspicous that there might have been some malware involved. I could system restore to before that installation & rerun RootRepeal scan ?

C:\Program Files\cosids\Apache Group\Apache\ApchT2kW.exe and
C:\Program Files\cosids\bin\tbmux32.exe are the processes that I am worried about. They were part of the manual CD. I see no reason why the should need network assess, but the "apache" one is still trying.

Just tried running the manual with access blocked and its not working (so perhaps it is legitimately needing a network connection, but I have doubts !).

Edited by rocketronnie, 02 January 2010 - 10:15 AM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:48 AM

Posted 02 January 2010 - 05:34 PM

@rocketronnieI feel the safest way to remove this is with HJT.
You will need to run HJT/DDS.
Please follow this guide. go and do steps 6 thru 8 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users