Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Rootkit and who knows what else


  • Please log in to reply
9 replies to this topic

#1 Sporatica

Sporatica

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 October 2010 - 05:40 PM

Running Win XP Pro SP3

I had a google redirect problem, ran tdss killer, it went away. It came back - I attacked it. Mbam, SAS, and DrWeb CureIt - BUT, it's still here. Gmer won't run. I get a win32 error and it shuts down.

I have logs - but really can't make much sense of them. DrWebCureIt "eradicated" Backdoor.TDSS.565 and could not cure Tool.Kill.Proc.3 so it "moved" it. I tried running a complete scan with Dr Web, but was at 10% after 10 hours and gave up.

I am currently running a deep scan with PAVARK (Finished and read clean)

Please help

Edited by Sporatica, 01 October 2010 - 05:58 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:51 AM

Posted 01 October 2010 - 07:53 PM

It may be what was found that may still be a trouble maker. As in you kill it and it reincarnates. I guess can we see the infected MBAM and DrWeb logs.

You can also do this.
If still redirecting>>>
Change your DNS Servers:
  • Go to Posted Image > Run... and in the open box, type: cmd
  • Press OK or Hit Enter.
  • At the command prompt, type or copy/paste: ipconfig /flushdns
  • Hit Enter.
  • You will get a confirmation that the flush was successful.
  • Close the command box.
If the above commands did not resolve the problem, the next thing to try is to reset your network settings and Configure TCP/IP to use DNS.
  • Go to Posted Image > Control Panel, and choose Network Connections.
  • Right-click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and and choose Properties.
  • Double-click on Internet Protocol (TCP/IP) or highlight it and select Properties.
  • Under the General tab, write down any settings in case you should need to change them back.
  • Select the button that says "Obtain an IP address automatically" or make sure the DNS server IP address is the same as provided by your ISP.
  • Select the button that says "Obtain DNS servers automatically".
  • If unknown Preferred or Alternate DNS servers are listed, uncheck the box that says "Use the following DNS server address".
  • Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually.
-- Vista users can refer to How to Change TCP/IP settings

CAUTION: It's possible that your ISP (Internet Service Provider) requires specific DNS settings here. Make sure you know if you need these settings or not BEFORE you make any changes or you may lose your Internet connection. If you're sure you do not need a specific DNS address,
then you may proceed.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Sporatica

Sporatica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 October 2010 - 08:04 PM

I am running Mbam in safe mode right now. I'll ipconfig /flushdns as soon as the log generates. I'm actually afraid to go online with any of the bug still in my system. I've been fighting this on and off for about two weeks. I know that parts have been left behind and it keeps reinfecting.

Is there anything else we can do to ensure that it's clean before going online?

I forgot to add that I have also run ESET and have a log from Root repeal (although I don't know if the hooked items are supposed to be hooked) And I ran Javaru as well as deleting all traces of Java (I know I'll have to reinstall)

#4 Sporatica

Sporatica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 October 2010 - 09:40 PM

Done with the DNS and IP stuff - now what? Wanna see my logs? I could really use the help -I've gone as far as I can go and I've hit a block wall

#5 Sporatica

Sporatica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 01 October 2010 - 10:37 PM

Dr Web CureIt

Process in memory: C:\WINDOWS\Explorer.EXE:1436;;BackDoor.Tdss.565;Eradicated.;
Process.exe;C:\WINDOWS\system32;Tool.Killproc.3;Incurable.Moved.;

TDSS

2010/10/01 18:30:13.0542 TDSS rootkit removing tool 2.4.3.0 Sep 27 2010 15:28:54
2010/10/01 18:30:13.0542 ================================================================================
2010/10/01 18:30:13.0542 SystemInfo:
2010/10/01 18:30:13.0542
2010/10/01 18:30:13.0542 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/01 18:30:13.0542 Product type: Workstation
2010/10/01 18:30:13.0542 ComputerName: ORG
2010/10/01 18:30:13.0542 UserName: Default
2010/10/01 18:30:13.0542 Windows directory: C:\WINDOWS
2010/10/01 18:30:13.0542 System windows directory: C:\WINDOWS
2010/10/01 18:30:13.0542 Processor architecture: Intel x86
2010/10/01 18:30:13.0542 Number of processors: 1
2010/10/01 18:30:13.0542 Page size: 0x1000
2010/10/01 18:30:13.0542 Boot type: Normal boot
2010/10/01 18:30:13.0542 ================================================================================
2010/10/01 18:30:16.0176 Initialize success
2010/10/01 18:30:21.0343 ================================================================================
2010/10/01 18:30:21.0343 Scan started
2010/10/01 18:30:21.0343 Mode: Manual;
2010/10/01 18:30:21.0343 ================================================================================
2010/10/01 18:30:23.0947 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/01 18:30:24.0097 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/01 18:30:24.0377 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/01 18:30:24.0518 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/01 18:30:25.0038 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2010/10/01 18:30:25.0639 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/01 18:30:25.0799 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/01 18:30:26.0120 ati2mtag (492bd2a5f65f218d4ede5764a3bb67e9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/01 18:30:26.0250 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/01 18:30:26.0410 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/01 18:30:26.0560 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/01 18:30:26.0841 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/01 18:30:27.0061 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/01 18:30:27.0201 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/01 18:30:27.0342 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/01 18:30:27.0892 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
2010/10/01 18:30:28.0083 d347bus (5776322f93cdb91086111f5ffbfda2a0) C:\WINDOWS\system32\DRIVERS\d347bus.sys
2010/10/01 18:30:28.0193 d347prt (b49f79ace459763f4e0380071be9cb45) C:\WINDOWS\system32\Drivers\d347prt.sys
2010/10/01 18:30:28.0563 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/01 18:30:28.0744 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/01 18:30:28.0914 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/10/01 18:30:29.0034 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/01 18:30:29.0374 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/01 18:30:29.0825 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/01 18:30:29.0995 emu10k (01f83e1b5dce05f5cb7d99113ca9e890) C:\WINDOWS\system32\drivers\emu10k1m.sys
2010/10/01 18:30:30.0106 emu10k1 (7ffa171cce6a8bfc774862a578ba39a2) C:\WINDOWS\system32\drivers\ctlfacem.sys
2010/10/01 18:30:30.0306 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/01 18:30:30.0416 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/01 18:30:30.0566 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/01 18:30:30.0696 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/01 18:30:30.0807 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/01 18:30:30.0897 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/01 18:30:31.0027 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/01 18:30:31.0127 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/10/01 18:30:31.0207 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/01 18:30:31.0668 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/01 18:30:32.0028 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/01 18:30:32.0148 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/01 18:30:32.0549 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/01 18:30:32.0669 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/01 18:30:32.0779 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/01 18:30:32.0920 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/01 18:30:33.0050 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/01 18:30:33.0160 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/01 18:30:33.0320 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/01 18:30:33.0420 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/01 18:30:33.0711 KLIF (a11c971434468fa05815eec8228d63fd) C:\WINDOWS\system32\DRIVERS\klif.sys
2010/10/01 18:30:33.0851 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/01 18:30:33.0981 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/01 18:30:34.0352 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/01 18:30:34.0482 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/01 18:30:34.0592 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/01 18:30:34.0722 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/01 18:30:34.0882 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/01 18:30:35.0073 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/01 18:30:35.0243 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/01 18:30:35.0393 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/01 18:30:35.0503 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/01 18:30:35.0613 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/01 18:30:35.0714 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/01 18:30:35.0844 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/01 18:30:36.0024 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/01 18:30:36.0144 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/01 18:30:36.0234 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/01 18:30:36.0335 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/01 18:30:36.0435 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/01 18:30:36.0565 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/01 18:30:36.0715 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/01 18:30:36.0965 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/01 18:30:37.0116 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/01 18:30:37.0276 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/01 18:30:37.0426 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/01 18:30:37.0516 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/01 18:30:37.0716 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/01 18:30:37.0817 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/01 18:30:37.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/01 18:30:38.0087 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/01 18:30:38.0428 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/01 18:30:39.0088 pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/10/01 18:30:39.0289 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/01 18:30:39.0469 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/01 18:30:39.0669 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/01 18:30:39.0880 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/01 18:30:40.0020 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/01 18:30:40.0551 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/01 18:30:40.0691 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/01 18:30:40.0801 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/01 18:30:40.0901 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/01 18:30:41.0041 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/01 18:30:41.0161 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/01 18:30:41.0312 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/01 18:30:41.0462 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/01 18:30:41.0632 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/01 18:30:41.0882 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/10/01 18:30:42.0023 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/01 18:30:42.0083 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/10/01 18:30:42.0193 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/10/01 18:30:42.0413 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/01 18:30:42.0553 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/01 18:30:42.0704 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/01 18:30:42.0874 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/01 18:30:43.0004 sfman (0b1a5e9cacb5cdd54a2815107bd7c772) C:\WINDOWS\system32\drivers\sfmanm.sys
2010/10/01 18:30:43.0415 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/01 18:30:43.0565 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/01 18:30:43.0735 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/01 18:30:43.0835 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/10/01 18:30:43.0975 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/01 18:30:44.0066 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/01 18:30:44.0606 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/01 18:30:44.0827 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/01 18:30:45.0007 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/01 18:30:45.0107 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/01 18:30:45.0257 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/01 18:30:45.0498 trid3d (8dfd837a98a4a6c581214fa358430837) C:\WINDOWS\system32\DRIVERS\trid3dm.sys
2010/10/01 18:30:45.0708 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/01 18:30:45.0938 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/01 18:30:46.0129 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/01 18:30:46.0229 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/01 18:30:46.0389 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/01 18:30:46.0489 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/01 18:30:46.0569 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/01 18:30:46.0679 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/01 18:30:46.0810 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/01 18:30:46.0930 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2010/10/01 18:30:47.0070 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/01 18:30:47.0180 VIAudio (819bf44085104be6527b86a88acf856b) C:\WINDOWS\system32\drivers\ac97via.sys
2010/10/01 18:30:47.0420 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/01 18:30:47.0561 vsdatant (7f10c6c385a03f40b07d682bfaa07e2f) C:\WINDOWS\system32\vsdatant.sys
2010/10/01 18:30:47.0811 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/01 18:30:48.0031 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/01 18:30:48.0372 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/10/01 18:30:48.0622 ZD1211BU(ZyDAS) (478b4415dfb3a45b6fe61ec781e07d7b) C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
2010/10/01 18:30:48.0742 ZDPSp50 (00ae175b903d45ed4a62384d3315dc2a) C:\WINDOWS\system32\Drivers\ZDPSp50.sys
2010/10/01 18:30:48.0933 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/01 18:30:48.0953 ================================================================================
2010/10/01 18:30:48.0963 Scan finished
2010/10/01 18:30:48.0963 ================================================================================
2010/10/01 18:30:49.0073 Detected object count: 1
2010/10/01 18:31:01.0841 \HardDisk0\MBR - will be cured after reboot
2010/10/01 18:31:01.0841 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/01 18:31:07.0690 Deinitialize success



RootRepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/10/01 15:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xBA71D000 Size: 98304 File Visible: No Signed: -
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: catchme.sys
Image Path: C:\DOCUME~1\Default\LOCALS~1\Temp\catchme.sys
Address: 0xEE1B2000 Size: 31744 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED77D000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A4F000 Size: 8192 File Visible: No Signed: -
Status: -

Name: dwprot.sys
Image Path: C:\WINDOWS\system32\drivers\dwprot.sys
Address: 0xECDA5000 Size: 118656 File Visible: No Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\Default\LOCALS~1\Temp\mbr.sys
Address: 0xF77A7000 Size: 20864 File Visible: No Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA62F000 Size: 574976 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7A21000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xECE15000 Size: 49152 File Visible: No Signed: -
Status: -

Name: vo33qpKA.sys
Image Path: C:\DOCUME~1\Default\LOCALS~1\Temp\vo33qpKA.sys
Address: 0xECD48000 Size: 203904 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\internet logs\iamdb.rdb
Status: Size mismatch (API: 1798656, Raw: 1795584)

Path: c:\windows\internet logs\zalog.txt
Status: Size mismatch (API: 2380557, Raw: 2380323)

Path: c:\windows\internet logs\backup.rdb
Status: Size mismatch (API: 1798656, Raw: 1793536)

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087506.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087524.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087542.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087560.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087578.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087596.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087614.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087632.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087650.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087668.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087686.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087704.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087722.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087740.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087758.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087776.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087794.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087812.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087813.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087814.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087815.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087816.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087817.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087818.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087819.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087820.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087821.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087822.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087823.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087824.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087825.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087826.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087827.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087828.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087829.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087830.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087831.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087832.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087833.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087834.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\A0087835.RDB
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\change.log
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\change.log.1
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\change.log.2
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\change.log.3
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\RestorePointSize
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\rp.log
Status: Visible to the Windows API, but not on disk.

Path: C:\System Volume Information\_restore{D284721B-EA87-412E-B470-9EE081487081}\RP27\snapshot
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\Temp\sdk8\Report\detected.idx
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\detected.rpt
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\g_objbt.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\g_objdt.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\g_objid.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\report.rpt
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\00\00000001_events.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\00\00000001_objbt.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\00\00000001_objdt.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\00\00000001_objid.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\00\segments.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\0C\00000001_events.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\0C\00000001_objbt.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\0C\00000001_objdt.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\0C\00000001_objid.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\sdk8\Report\0C\segments.dat
Status: Locked to the Windows API!

SSDT
-------------------
#: 011 Function Name: NtAdjustPrivilegesToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489542

#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489dba

#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8bf2ec

#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48adcc

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b88cc

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8da0e6

#: 043 Function Name: NtCreateMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48aca4

#: 044 Function Name: NtCreateNamedPipeFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489148

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "d347bus.sys" at address 0xba78ca20

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8bfabe

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8d3f82

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8d43aa

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8de83c

#: 051 Function Name: NtCreateSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48aefe

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48c784

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489a58

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8bfc1c

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48c176

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b978e

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8dbb8e

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8db484

#: 066 Function Name: NtDeviceIoControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48a524

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8d2d66

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba488e80

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba488f2a

#: 084 Function Name: NtFsControlFile
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48a330

#: 097 Function Name: NtLoadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b1abc

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8dc558

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8dc796

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8debf8

#: 111 Function Name: NtNotifyChangeKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489076

#: 114 Function Name: NtOpenEvent
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48ae6e

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b9280

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba488592

#: 120 Function Name: NtOpenMutant
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48ad3c

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8d649a

#: 125 Function Name: NtOpenSection
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb77e0

#: 126 Function Name: NtOpenSemaphore
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48afa0

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8d6088

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8ec25c

#: 160 Function Name: NtQueryKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba488fd4

#: 161 Function Name: NtQueryMultipleValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba488bfc

#: 167 Function Name: NtQuerySection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48cb50

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48884c

#: 180 Function Name: NtQueueApcThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48c49e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8dd61e

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8dcf12

#: 194 Function Name: NtReplyPort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48b32a

#: 195 Function Name: NtReplyWaitReceivePort
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48b1f0

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8bee84

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8de07e

#: 206 Function Name: NtResumeThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48d028

#: 207 Function Name: NtSaveKey
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba4881fe

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8bf5b8

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489c76

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b9b98

#: 227 Function Name: NtSetInformationObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8ec120

#: 230 Function Name: NtSetInformationToken
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48b86c

#: 237 Function Name: NtSetSecurityObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8ddba6

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b114a

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "d347bus.sys" at address 0xba7980b0

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8daba8

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48cd74

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48ce9c

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb770e

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8d4dd6

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48980e

#: 262 Function Name: NtUnloadDriver
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b1f0e

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba48ca06

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba489998

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System Address: 0x858571e8 Size: 172

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System Address: 0x85867698 Size: 197

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8717d008 Size: 110

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System Address: 0x86eb86f8 Size: 1374

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x871c0de8 Size: 166

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x871c3cc8 Size: 824

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x8582e8a0 Size: 870

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x872124d8 Size: 11

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x872288d0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x87230e70 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8726fe18 Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x86eff6e0 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x87273240 Size: 11

Object: Hidden Code [Driver: Npfs?????????/??Sy, IRP_MJ_READ]
Process: System Address: 0x87286ae8 Size: 11

Object: Hidden Code [Driver: Msfs????, IRP_MJ_READ]
Process: System Address: 0x8727d240 Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x872856c0 Size: 11

Object: Hidden Code [Driver: Cdfs????, IRP_MJ_READ]
Process: System Address: 0x87271218 Size: 11

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a71e

#: 227 Function Name: NtGdiMaskBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a7e8

#: 237 Function Name: NtGdiPlgBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a852

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a782

#: 307 Function Name: NtUserAttachThreadInput
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a27e

#: 312 Function Name: NtUserBuildHwndList
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a8b4

#: 323 Function Name: NtUserCallOneParam
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a636

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a46c

#: 383 Function Name: NtUserGetAsyncKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a1e6

#: 414 Function Name: NtUserGetKeyboardState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a56e

#: 416 Function Name: NtUserGetKeyState
Status: Hooked by "C:\WINDOWS\system32\DRIVERS\klif.sys" at address 0xba49a232

#: 460 Function Name: NtUserMessageCall
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb840e

#: 475 Function Name: NtUserPostMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb8382

#: 476 Function Name: NtUserPostThreadMessage
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb7218

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb7140

#: 489 Function Name: NtUserRegisterUserApiHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b2c54

#: 491 Function Name: NtUserRegisterRawInputDevices
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8bb5c6

#: 502 Function Name: NtUserSendInput
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8be272

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b3364

#: 552 Function Name: NtUserSetWinEventHook
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xed8b29e8

#: 558 Function Name: NtUserSwitchDesktop
Status: Hooked by "C:\WINDOWS\system32\drivers\dwprot.sys" at address 0xecdb70dc

==EOF==

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:51 AM

Posted 02 October 2010 - 10:01 AM

Hi, those Rootrepeals are all Kaspersky and Zonealarm files and are OK.

Drweb needs a reboot to clean the rootkit.

Now we should run ESET.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 Sporatica

Sporatica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 02 October 2010 - 05:52 PM

I re-ran everything and finally caught a 4th generation TDSS with TDSS Killer.
I cleaned up with OTL, ran windows update, updated ZA, reinstalled Java, and so far so good.

It took all night, but I am not redirecting and everything is scanning clean.

This nightmare is resolved

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:51 AM

Posted 02 October 2010 - 06:30 PM

Awesome!! If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Sporatica

Sporatica
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:51 AM

Posted 02 October 2010 - 06:41 PM

I forgot to add, I did that too.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:51 AM

Posted 02 October 2010 - 06:45 PM

Well then, you did just Great!! :thumbsup:
Happy Computing from all of us. :flowers:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users