Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Residual signs of Zbot/zeus in Icesword SSDT table?


  • This topic is locked This topic is locked
9 replies to this topic

#1 aonomus

aonomus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 18 January 2010 - 02:22 AM

So a few days ago I got a zbot infection, tea timer saved my *** by alerting me to the userinit registry change which I denied, preventing it from truely installing, giving me time to clean it up before a reboot.

Anyway, all the malacious code seems to be gone. No lowsec.exe and associated files/folders (or the sdra64.exe variant, etc etc) reappearing, no entries in regedit that would show signs of the UID, etc. No signs of a hidden lowsec.exe hooked into winlogon.exe, etc.

What I did:

- Ran Avast - no effect
- Downloaded and ran HJT, removed entries (MSIE options lockout, malicious trusted zone entries, and a few extraneous entries unrelated to the infection (old BHOs that were uninstalled a long time ago).
- Browsed the registry to remove firefox/oprah/chrome disallowrun registry entries, UID, and such.
- Ran the Kaspersky Zbot removal tool (http://support.kaspersky.com/viruses/solutions?print=true&qid=208280039) - killed active threads pertaining to zbot, removed hooks, deleted files (quite effective I must say).
- Verified lowsec.exe removal from system32.
- Restarted in safe mode, ran full scan with Avast (picked up a few other pieces of malware that were removed with no major note)
- Downloaded and installed combofix - lsprst7.dll and stdics16.dll were quarantined as virii
- Did file by file comparison between old image and current system32 (this took quite some time by hand >_<)
- Downloaded and ran icesword - no hidden processes, ports, kernel modules, nothing hidden in the startup autoexec, no hidden routines or BHOs. No hidden message hooks. There were some red highlighted lines in the SSDT table - some were pertaining to Avast's self protection (aswSP.sys), see attached image.
- GMER scan showed several hooked files, however the files have already been removed long ago (yet the hooks still persist)

- Registered for Bleepingcomputer forum, read the log posting topic, downloaded DDS and Rootrepeal

So my overall question is, does anyone believe my computer to be cleaned of zbot?
- My secondary question is what are the 'unknown' SSDT hidden entries? There are some other hooks to files that no longer exist, but there are also hooks to 'nothing'.


GMER Scan:
QUOTE
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-18 03:28:54
Windows 5.1.2600 Service Pack 2
Running: seo6oqou.exe; Driver: C:\DOCUME~1\Norman\LOCALS~1\Temp\uwloqkog.sys


---- System - GMER 1.0.15 ----

SSDT 85CCB318 ZwAlertResumeThread
SSDT 85CCB638 ZwAlertThread
SSDT 85CD5998 ZwAllocateVirtualMemory
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF256B6B8]
SSDT 85C92218 ZwConnectPort
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF256B574]
SSDT 85CCA4E8 ZwCreateMutant
SSDT 85CD5AF0 ZwCreateThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF256BA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF256B14C]
SSDT sptd.sys ZwEnumerateKey [0xF757284C]
SSDT sptd.sys ZwEnumerateValueKey [0xF7572BEC]
SSDT 85C7F3F0 ZwFreeVirtualMemory
SSDT 85CCAD38 ZwImpersonateAnonymousToken
SSDT 85C82590 ZwImpersonateThread
SSDT 85CEDDD8 ZwMapViewOfSection
SSDT 85C81A20 ZwOpenEvent
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF256B64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF256B08C]
SSDT 85CC8288 ZwOpenProcessToken
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF256B0F0]
SSDT 85C842A8 ZwOpenThreadToken
SSDT sptd.sys ZwQueryKey [0xF7572CC4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF256B76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF256B72E]
SSDT 85CC6E00 ZwResumeThread
SSDT 85CCC7A0 ZwSetContextThread
SSDT 85CC7348 ZwSetInformationProcess
SSDT 85CCC480 ZwSetInformationThread
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF256B8AE]
SSDT 85C811D0 ZwSuspendProcess
SSDT 85C833D0 ZwSuspendThread
SSDT 85C80908 ZwTerminateProcess
SSDT 85C836F0 ZwTerminateThread
SSDT 85CC7900 ZwUnmapViewOfSection
SSDT 85CD58C8 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 863CF1D8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Udfs \UdfsCdRom 85D0B1D8
Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_Disk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\meiudf \MeiUDF_CdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk 85D0B1D8
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\NetBT \Device\NetBT_Tcpip_{46FDDA11-A837-4C62-8298-8EF30A8F702A} 85CDB1D8
Device \Driver\NetBT \Device\NetBT_Tcpip_{FD3169C7-8167-4515-A17F-31458852DE0A} 85CDB1D8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 scoes.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 IsDrv122.sys
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 scoes.sys

Device \Driver\usbohci \Device\USBPDO-0 862361D8
Device \Driver\usbohci \Device\USBPDO-1 862361D8
Device \Driver\usbehci \Device\USBPDO-2 8621F1D8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)

Device pci.sys (NT Plug and Play PCI Enumerator/Microsoft Corporation)
Device \Driver\Ftdisk \Device\HarddiskVolume1 863651D8
Device \Driver\Cdrom \Device\CdRom0 86212980
Device u ACPI.sys (ACPI Driver for NT/Microsoft Corporation)
Device \Driver\Cdrom \Device\CdRom1 86212980
Device \Driver\atapi \Device\Ide\IdePort0 863D01D8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 863D01D8
Device \Driver\atapi \Device\Ide\IdePort1 863D01D8
Device \Driver\atapi \Device\Ide\IdePort2 863D01D8
Device \Driver\atapi \Device\Ide\IdePort3 863D01D8
Device 863D01D8
Device \Driver\00000043 \Device\00000068 sptd.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 85CDB1D8
Device \Driver\NetBT \Device\NetbiosSmb 85CDB1D8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 862361D8
Device \Driver\usbohci \Device\USBFDO-1 862361D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85CB91D8
Device \Driver\usbehci \Device\USBFDO-2 8621F1D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85CB91D8
Device \Driver\Ftdisk \Device\FtControl 863651D8
Device \Driver\a88crjyu \Device\Scsi\a88crjyu1 861D91D8
Device \Driver\a88crjyu \Device\Scsi\a88crjyu1Port4Path0Target0Lun0 861D91D8
Device \FileSystem\Cdfs \Cdfs 85C6B980
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----




DDS Scan:

QUOTE
DDS (Ver_09-12-01.01) - NTFSx86
Run by Norman at 3:30:54.69 on Mon 01/18/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.958.158 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100117-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\altera\91\quartus\bin\jtagserver.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Synergy\synergyc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Norman\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [Synergy Client] "c:\program files\synergy\synergyc.exe" --no-daemon --debug WARNING --name nchulaptop 192.168.1.101:24800
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NDSTray.exe] NDSTray.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Tvs] c:\program files\toshiba\tvs\TvsTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\\vptray.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\norman\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-explorer: DisallowRun = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1154738572859
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {46FDDA11-A837-4C62-8298-8EF30A8F702A} = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\norman\applic~1\mozilla\firefox\profiles\48uv86jm.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - www.google.ca/ig
FF - plugin: c:\program files\mozilla firefox\plugins\npvlc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-16 114768]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-1-17 18816]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-16 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-1-16 138680]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-1-16 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-1-16 352920]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-9 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100115.050\naveng.sys [2010-1-16 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100115.050\navex15.sys [2010-1-16 1323568]
R3 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
S2 STM Parallel Driver;STM Parallel Driver;c:\windows\system32\drivers\parstm.sys [2010-1-5 43776]
S3 AlteraUSBBlaster;Altera USB-Blaster Device Driver;c:\windows\system32\drivers\usbblstr.sys [2010-1-15 58960]
S3 aswArKrn;aswArKrn;\??\c:\docume~1\norman\locals~1\temp\aswarkrn.sys --> c:\docume~1\norman\locals~1\temp\aswArKrn.sys [?]
S3 BCR2000;B-Control Rotary/Fader 2000 (12/23/2004,1.1.1.1);c:\windows\system32\drivers\bcr2000.sys [2008-1-26 20992]
S3 EdgeSer;Edgeport Driver for Windows 2000, XP, Vista & Server 2003;c:\windows\system32\drivers\edgeser.sys [2009-6-16 151040]
S3 Ionenum;Edgeport Filter Driver;c:\windows\system32\drivers\ionenum.sys [2009-6-16 17920]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2008-1-2 36981]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\19.tmp --> c:\windows\system32\19.tmp [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 PhidgetWebservice21;Phidget Webservice 21;c:\program files\phidgets\PhidgetWindowsService21.exe [2009-5-25 24576]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]

=============== Created Last 30 ================

2010-01-18 00:34:49 28160 ----a-w- C:\md5sums.exe
2010-01-17 19:22:54 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-01-17 19:00:20 41705 ---ha-w- c:\windows\system32\odbcjet.GID
2010-01-17 18:42:31 0 d-----w- c:\program files\Sophos
2010-01-17 17:37:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-17 16:04:16 0 d-sha-r- C:\cmdcons
2010-01-17 15:59:36 77312 ----a-w- c:\windows\MBR.exe
2010-01-17 15:59:36 261632 ----a-w- c:\windows\PEV.exe
2010-01-17 15:59:35 98816 ----a-w- c:\windows\sed.exe
2010-01-17 15:59:35 161792 ----a-w- c:\windows\SWREG.exe
2010-01-16 18:59:56 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-01-16 14:25:58 386 ----a-w- C:\-v
2010-01-16 14:25:39 103688 ----a-w- C:\ZBotKiller.exe
2010-01-15 19:27:02 16924 ------w- c:\documents and settings\norman\qms-bmh3.bmp
2010-01-15 19:27:02 16924 ------w- c:\documents and settings\norman\qms-bmh2.bmp
2010-01-15 19:27:02 16924 ------w- c:\documents and settings\norman\qms-bmh1.bmp
2010-01-15 19:26:51 16 ---h--w- c:\documents and settings\norman\5vFfCOufnM8
2010-01-15 19:23:33 471040 ----a-w- c:\windows\system32\hhactivex.dll
2010-01-15 07:09:55 419 ----a-w- c:\documents and settings\norman\quartus2.ini
2010-01-15 07:09:42 27 ----a-w- c:\documents and settings\norman\quartus2.qreg
2010-01-15 06:33:12 26120 ----a-w- c:\windows\system32\drivers\SNTNLUSB.SYS
2010-01-15 06:33:11 0 d-----w- c:\windows\system32\RNBOSENT
2010-01-15 06:33:09 7680 ----a-w- c:\windows\system32\drivers\pgdhdlc.sys
2010-01-15 06:20:22 58960 ----a-w- c:\windows\system32\drivers\usbblstr.sys
2010-01-15 06:20:22 207440 ----a-w- c:\windows\system32\usbblstr32.dll
2010-01-15 06:20:22 191056 ----a-w- c:\windows\system32\usbblstrlang.dll
2010-01-15 06:20:22 121424 ----a-w- c:\windows\system32\usbblstrui.dll
2010-01-15 06:11:15 0 d-----w- C:\altera
2010-01-14 20:31:50 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-14 20:31:50 1409 ----a-w- c:\windows\QTFont.for
2010-01-13 12:31:43 470528 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-13 08:14:39 0 d-----w- c:\documents and settings\norman\chemaxon
2010-01-13 06:41:06 0 d-----w- c:\program files\Trend Micro
2010-01-12 21:01:46 0 d-sh--w- c:\windows\system32\winsys
2010-01-05 06:08:40 43776 ----a-w- c:\windows\system32\drivers\parstm.sys
2010-01-05 06:08:35 53344 ------w- c:\windows\system32\drivers\par1284.sys
2010-01-05 06:05:52 0 d-----w- c:\program files\STMicroelectronics
2010-01-05 05:59:12 0 d-----w- c:\program files\COSMIC
2009-12-25 18:43:43 0 d-----w- c:\docume~1\norman\applic~1\IronCAD
2009-12-25 18:30:24 0 d-----w- c:\program files\VBA
2009-12-25 18:29:51 0 d-----w- c:\program files\IronCAD
2009-12-25 18:22:05 0 d-----w- c:\program files\IRONCAD9Setup
2009-12-25 18:20:32 0 d-----w- c:\program files\Ironcad 9
2009-12-23 08:28:44 218 ----a-w- c:\documents and settings\norman\.recently-used.xbel

==================== Find3M ====================

2010-01-18 00:16:36 16310 ----a-w- c:\windows\system32\tablet.dat
2010-01-17 17:36:44 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-29 05:04:25 668672 ------w- c:\windows\system32\wininet.dll
2009-10-22 02:37:50 50176 ----a-w- c:\windows\system32\SNTI386.DLL
2009-10-22 02:37:50 18432 ----a-w- c:\windows\system32\RNBOVDD.DLL
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll

============= FINISH: 3:31:56.93 ===============


RootRepeal scan:

QUOTE
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2010/01/18 03:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00000043
Image Path: \Driver\00000043
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: a88crjyu.SYS
Image Path: C:\WINDOWS\System32\Drivers\a88crjyu.SYS
Address: 0xF7049000 Size: 303104 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF2523000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA4000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7C2E000 Size: 1664 File Visible: No Signed: -
Status: -

Name: IsDrv122.sys
Image Path: C:\WINDOWS\System32\Drivers\IsDrv122.sys
Address: 0xEE930000 Size: 211840 File Visible: No Signed: -
Status: -

Name: PROCEXP111.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP111.SYS
Address: 0xF7BCE000 Size: 7904 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBAFB0000 Size: 49152 File Visible: No Signed: -
Status: -

Name: scoes.sys
Image Path: C:\WINDOWS\System32\Drivers\scoes.sys
Address: 0xEE8FC000 Size: 211840 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF7B6A000 Size: 5248 File Visible: No Signed: -
Status: -

Name: uwloqkog.sys
Image Path: C:\DOCUME~1\Norman\LOCALS~1\Temp\uwloqkog.sys
Address: 0xEE6AF000 Size: 93056 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Norman\Application Data\Mozilla\Firefox\Profiles\48uv86jm.default\sessionstore.js
Status: Could not get file information (Error 0xc0000008)

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x85ccb318

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x85ccb638

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x85cd5998

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b6b8

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x85c92218

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b574

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x85cca4e8

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x85cd5af0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256ba52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b14c

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "sptd.sys" at address 0xf757284c

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "sptd.sys" at address 0xf7572bec

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x85c7f3f0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x85ccad38

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x85c82590

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x85ceddd8

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x85c81a20

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b64e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b08c

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x85cc8288

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b0f0

#: 129 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x85c842a8

#: 160 Function Name: NtQueryKey
Status: Hooked by "sptd.sys" at address 0xf7572cc4

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b76e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b72e

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x85cc6e00

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x85ccc7a0

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x85cc7348

#: 229 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x85ccc480

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xf256b8ae

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x85c811d0

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x85c833d0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x85c80908

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x85c836f0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x85cc7900

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x85cd58c8

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System Address: 0x863cf1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_CREATE]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_CLOSE]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_READ]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_WRITE]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_CLEANUP]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: Udfsȅ敓捁ȁం䅉⁍蹲墶꾼꾉Ȃఏ瑎商, IRP_MJ_PNP]
Process: System Address: 0x85d0b1d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_CREATE]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_CLOSE]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_POWER]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: a88crjyuЅ䵃慖溈敐敘, IRP_MJ_PNP]
Process: System Address: 0x861d91d8 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x86212980 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x863d01d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System Address: 0x862361d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System Address: 0x863651d8 Size: 463

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System Address: 0x85cdb1d8 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System Address: 0x85cdb1d8 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85cdb1d8 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85cdb1d8 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System Address: 0x85cdb1d8 Size: 206

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System Address: 0x85cdb1d8 Size: 206

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System Address: 0x8621f1d8 Size: 463

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System Address: 0x85cb91d8 Size: 131

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_CREATE]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_CLOSE]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_READ]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_CLEANUP]
Process: System Address: 0x85c6b980 Size: 463

Object: Hidden Code [Driver: Cdfsȅళ浍瑓㢈藍I, IRP_MJ_PNP]
Process: System Address: 0x85c6b980 Size: 463

==EOF==


Combofix log available on request


At this point, I've put alot of effort in, and I've done almost everything I know how to. I'd ideally like to avoid nuking it from orbit. Hopefully my computer is clean, and there is a way to manually remove these entries (or that this is just computer hypochondria following zbot).

Attached Files


Edited by aonomus, 18 January 2010 - 04:07 AM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:06 AM

Posted 24 January 2010 - 10:40 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for private use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Post the Combofix log so I can see what's happening.
Posted Image
m0le is a proud member of UNITE

#3 aonomus

aonomus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 January 2010 - 11:03 AM

Hi, already subscribed to the topic, eagerly waiting reply :D

Combofix log attached, it did quarantine a few files, some of which I don't believe are related to the initial infection, but might have been installed as part of the entire incident.

Attached Files



#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:06 AM

Posted 24 January 2010 - 12:56 PM

Hi anomous,

Looks like you've done a nice job. There's something strange about those unknown processes and we should take a look at those before we pass the PC as clean.

Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display.

Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner.

Attach that log back here for review please (it will be pretty large, so direct posting would be a bit tough).


excl.gif Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it. excl.gif

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#5 aonomus

aonomus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 January 2010 - 01:37 PM

So I ran the scan. Attached. Had to delete older files.

Attached Files


Edited by aonomus, 24 January 2010 - 01:52 PM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:06 AM

Posted 24 January 2010 - 08:34 PM

The SSDT entries with no details are system processes which are hidden. In other words they don't allow the scanner to read them.

The ZW prefixed entries are all part and parcel of the Windows driver kit. Windows own core.

There's nothing else noticeable in the Radix log so I would say you are clean. thumbup2.gif

Any other questions before we wrap this up?
Posted Image
m0le is a proud member of UNITE

#7 aonomus

aonomus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 January 2010 - 08:37 PM

Yes, what would you say the two files quarantined by combofix were? They appear to use randomly generated names which did not show up in any online searches I used, so I am a little unsure as to what the actual infection would be...

But otherwise, since there is nothing hidden in the MBR, memory, hooked processes, etc - would these 2 quarantined files be safe to delete?

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:06 AM

Posted 24 January 2010 - 08:48 PM

Those two files look like worms to me. Random letters and numbers are really difficult to identify though.

Don't delete them, uninstall Combofix and it will remove them, delete itself and folders and some other things too.

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Disable any realtime antivirus or antispyware programs.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    (For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
  • Now type in Comfix /Uninstall in the runbox and click OK. (Notice the space between "Comfix" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything associated with it.


Plus remove any other unneccesary tools with this one

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

That should get you back up to speed. thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#9 aonomus

aonomus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:06 PM

Posted 24 January 2010 - 09:19 PM

Ok, well thanks very much for the help! I just needed a second opinion for peace of mind, so at least now I can resume normal operations with this computer.

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:06 AM

Posted 30 January 2010 - 02:29 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. smile.gif

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users