Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection - what I thought was ThinkPoint


  • This topic is locked This topic is locked
6 replies to this topic

#1 sdt211

sdt211

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 December 2010 - 11:12 AM

The infection started out to be ThinkPoint but instead of Hotfix.exe showing in the taskmanager I had smax4pnp.exe. I tried the step-by-step removal for ThinkPoint but RKill would not load so I tried using RKill'a alias programs which uSeRiNt.exe did work then I tried malwarebytes which installed ok and updated but once it got 3 files into the scan it shutdown. So I tried Combofix and it would start to load but then shutdown also. Below are the DDS logs and the GMER logs.

When I did get RKill to run the logfile shows \\.\Globalroot\Device\svchost.exe\svchost.exe was terminated by RKill or while it was running.

Attached Files



BC AdBot (Login to Remove)

 


#2 sdt211

sdt211
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 December 2010 - 12:21 PM

The DDS file in case no one wants to open the attachments and below that will be the GMER file.


DDS (Ver_10-12-12.02) - NTFSx86 MINIMAL
Run by Administrator at 10:00:40.76 on Thu 12/16/2010
Internet Explorer: 8.0.6001.18702

============== Running Processes ===============

\\.\globalroot\Device\svchost.exe\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\32788R22FWJFW\License\iexplore.exe
C:\WINDOWS\system32\igfxsrvc.exe
F:\Beeping computer log files\dds.scr
C:\WINDOWS\system32\svchost.exe -k netsvcs

============== Pseudo HJT Report ===============

BHO: brumatkjegrm Object: {11761f48-58d7-4d0e-9976-5f98c2f0b335} - c:\windows\$ntuninstallmtf197$\htlgv.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: adfatkjepr Object: {95983433-2347-4576-8289-9141e7bf67ef} - c:\windows\$ntuninstallmtf197$\habhu.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [bipro] rundll32 "c:\windows\$ntuninstallmtf197$\habhu.dll",,Run
mRun: [gchk] c:\windows\$ntuninstallmtf197$\upg.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1289916899686
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
Notify: TPSvc - TPSvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? gupdate;Google Update Service (gupdate)
R? is3srv;is3srv
R? McComponentHostService;McAfee Security Scan Component Host Service
R? MpFilter;Microsoft Malware Protection Driver
R? WinRM;Windows Remote Management (WS-Management)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? szkg5;szkg5
S? szkgfs;szkgfs

=============== Created Last 30 ================

2010-12-16 14:41:46 -------- d-----w- c:\docume~1\admini~1.001\applic~1\Malwarebytes
2010-12-16 13:31:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 13:31:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-16 13:31:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-16 13:31:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-15 21:15:59 82434 ----a-w- c:\docume~1\alluse~1\applic~1\4hk181s7.exe_
2010-12-15 21:15:59 82434 ----a-w- c:\docume~1\alluse~1\applic~1\4hk181s7.exe
2010-12-05 12:10:17 -------- d-sh--w- c:\documents and settings\administrator.jimmy-0d5af8888.001\PrivacIE
2010-12-05 11:52:48 -------- d-sh--w- c:\documents and settings\administrator.jimmy-0d5af8888.001\IECompatCache
2010-12-05 11:52:47 -------- d-sh--w- c:\documents and settings\administrator.jimmy-0d5af8888.001\IETldCache
2010-11-27 11:33:43 -------- d-----w- c:\windows\system32\drivers\nss\0207030.022
2010-11-27 11:33:43 -------- d-----w- c:\windows\system32\drivers\NSS
2010-11-27 11:33:43 -------- d-----w- c:\program files\Norton Security Scan
2010-11-27 11:33:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Symantec
2010-11-27 11:33:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-11-27 11:33:40 -------- d-----w- c:\program files\NortonInstaller
2010-11-27 11:33:40 -------- d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
2010-11-27 00:27:33 -------- d-----w- c:\windows\system32\Adobe
2010-11-21 14:12:32 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-21 14:12:32 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-20 05:05:12 -------- d-----w- c:\windows\system32\%APPDATA%
2010-11-19 17:11:47 -------- d-----w- c:\program files\common files\iS3
2010-11-19 17:11:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-11-19 09:13:29 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{ed36f8a0-5b64-46d7-a22e-c350421ea095}\mpengine.dll
2010-11-18 05:14:13 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2010-11-18 05:01:41 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-11-18 05:01:41 215920 ----a-w- c:\windows\system32\muweb.dll
2010-11-18 05:01:41 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-11-16 23:03:22 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-11-16 23:03:22 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-11-16 23:03:22 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-11-16 23:03:20 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-11-16 23:03:20 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-11-16 23:03:20 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-11-16 23:03:20 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-11-16 23:03:18 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-11-16 23:03:18 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-11-16 23:03:18 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-11-16 23:03:18 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-11-16 23:03:18 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-11-16 21:20:55 991232 ----a-w- c:\windows\system32\virtear.dll
2010-11-16 20:45:30 -------- d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-11-16 20:29:07 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2010-11-16 20:29:07 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2010-11-16 20:29:01 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2010-11-16 20:29:01 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2010-11-16 20:28:58 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2010-11-16 20:28:58 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-11-16 20:28:47 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2010-11-16 20:28:47 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2010-11-16 18:20:00 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-11-16 18:16:22 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-11-16 18:04:08 -------- d-----w- c:\windows\system32\winrm
2010-11-16 18:04:02 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2010-11-16 16:43:05 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-16 16:42:40 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-16 16:42:31 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-16 16:42:31 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-16 16:42:31 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-16 16:42:31 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-16 16:42:30 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-16 16:42:30 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-16 16:42:30 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-16 16:42:30 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-16 16:42:30 -------- d-----w- C:\73eb9c30e6ada7a139963724
2010-11-16 16:38:59 -------- d-----w- c:\windows\system32\GroupPolicy
2010-11-16 16:38:09 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-11-16 16:38:09 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-11-16 16:38:09 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-11-16 16:37:46 -------- d-----w- c:\program files\Windows Media Connect 2
2010-11-16 16:35:39 -------- d-----w- c:\program files\CONEXANT
2010-11-16 16:34:18 -------- d-----w- c:\windows\system32\URTTemp
2010-11-16 16:34:03 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-11-16 16:08:42 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-16 16:08:42 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-16 16:06:49 99840 -c----w- c:\windows\system32\dllcache\srvsvc.dll
2010-11-16 16:06:45 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-16 16:06:42 1288192 -c----w- c:\windows\system32\dllcache\ole32.dll
2010-11-16 16:06:34 58880 -c----w- c:\windows\system32\dllcache\spoolsv.exe
2010-11-16 16:06:32 293376 -c----w- c:\windows\system32\dllcache\winsrv.dll
2010-11-16 16:06:30 406016 -c----w- c:\windows\system32\dllcache\usp10.dll
2010-11-16 16:05:35 75776 -c----w- c:\windows\system32\dllcache\strmfilt.dll
2010-11-16 16:05:35 25088 -c----w- c:\windows\system32\dllcache\httpapi.dll
2010-11-16 16:05:34 265728 -c----w- c:\windows\system32\dllcache\http.sys
2010-11-16 16:04:43 90112 -c----w- c:\windows\system32\dllcache\wshext.dll
2010-11-16 16:04:43 180224 -c----w- c:\windows\system32\dllcache\scrobj.dll
2010-11-16 16:04:43 172032 -c----w- c:\windows\system32\dllcache\scrrun.dll
2010-11-16 16:04:43 155648 -c----w- c:\windows\system32\dllcache\wscript.exe
2010-11-16 16:04:43 135168 -c----w- c:\windows\system32\dllcache\cscript.exe
2010-11-16 15:37:01 294912 ------w- c:\program files\windows media player\dlimport.exe
2010-11-16 15:36:58 294912 -c----w- c:\windows\system32\dllcache\dlimport.exe
2010-11-16 15:34:15 19569 ----a-w- c:\windows\002542_.tmp
2010-11-16 15:34:06 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-11-16 15:31:23 -------- d-----w- c:\windows\EHome
2010-11-16 15:13:52 135168 ----a-w- c:\windows\system32\igfxres.dll

==================== Find3M ====================

2010-10-22 11:43:18 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-22 11:43:18 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75JHC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x822AD566]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x822b3624]; MOV EAX, [0x822b36a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8230EAB8]
3 CLASSPNP[0xF85A7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x823AD8A0]
\Driver\atapi[0x82379118] -> IRP_MJ_CREATE -> 0x822AD566
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-75JHC0______________________06.01C06#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x822AD3B2
user != kernel MBR !!!
sectors 78124998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 10:04:21.21 ===============


GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-16 10:42:35
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD400BB-75JHC0 rev.06.01C06
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlyikoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 78124744 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 822B73B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 822B73B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 822B73B2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 822B73B2

AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs F1AEADD9
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat F1AEADD9
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-75JHC0______________________06.01C06#5&2713bb34&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Threads - GMER 1.0.15 ----

Thread System [4:136] F1AFC730
Thread System [4:140] F1AF4D68
Thread System [4:164] F629BCCA

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [MANUAL] vbmaaa13 <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

#3 sdt211

sdt211
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 December 2010 - 12:39 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2010/12/16 12:36
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 4170736388
Image Path: \driver\4170736388
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: 4170736388
Image Path: \driver\4170736388
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB262E000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8AE7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: pwlyikoc.sys
Image Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwlyikoc.sys
Address: 0xB1A6B000 Size: 94848 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB21B2000 Size: 49152 File Visible: No Signed: -
Status: -

Name: vbmaaa13.SYS
Image Path: C:\WINDOWS\System32\Drivers\vbmaaa13.SYS
Address: 0xF86A7000 Size: 40960 File Visible: No Signed: -
Status: -

Name: vbmaaa13.SYS
Image Path: C:\WINDOWS\System32\Drivers\vbmaaa13.SYS
Address: 0x81E15000 Size: 37760 File Visible: No Signed: -
Status: Hidden from Windows API!

SSDT
-------------------
#: 257 Function Name: NtTerminateProcess
Status: Hooked by "szkgfs.sys" at address 0xf854c496

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x81d59020]
Process: System Address: 0xf1afc730 Size: 162

Object: Hidden Code [ETHREAD: 0x82047da8]
Process: System Address: 0xf1af4d68 Size: 170

Object: Hidden Code [ETHREAD: 0x81cfb5b0]
Process: System Address: 0xf629bcca Size: 200

Object: Hidden Code [Driver: , IRP_MJ_CREATE]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_CLOSE]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_READ]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_WRITE]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_QUERY_EA]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SET_EA]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SHUTDOWN]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_CLEANUP]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SET_SECURITY]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_POWER]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_SET_QUOTA]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: , IRP_MJ_PNP]
Process: System Address: 0x81e17109 Size: 3160

Object: Hidden Code [Driver: 4170736388, IRP_MJ_CREATE]
Process: System Address: 0xf1af31f2 Size: 545

Hidden Services
-------------------
Service Name: vbmaaa13
Image Path: C:\WINDOWS\system32\drivers\vbmaaa13.sys

==EOF==

#4 sdt211

sdt211
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 December 2010 - 01:31 PM

2010/12/16 13:16:32.0453 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/16 13:16:32.0453 ================================================================================
2010/12/16 13:16:32.0453 SystemInfo:
2010/12/16 13:16:32.0453
2010/12/16 13:16:32.0453 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/16 13:16:32.0453 Product type: Workstation
2010/12/16 13:16:32.0453 ComputerName: JIMMY-0D5AF8888
2010/12/16 13:16:32.0453 UserName: Owner
2010/12/16 13:16:32.0453 Windows directory: C:\WINDOWS
2010/12/16 13:16:32.0453 System windows directory: C:\WINDOWS
2010/12/16 13:16:32.0453 Processor architecture: Intel x86
2010/12/16 13:16:32.0453 Number of processors: 1
2010/12/16 13:16:32.0453 Page size: 0x1000
2010/12/16 13:16:32.0453 Boot type: Normal boot
2010/12/16 13:16:32.0453 ================================================================================
2010/12/16 13:16:32.0750 Initialize success
2010/12/16 13:16:47.0234 ================================================================================
2010/12/16 13:16:47.0234 Scan started
2010/12/16 13:16:47.0234 Mode: Manual;
2010/12/16 13:16:47.0234 ================================================================================
2010/12/16 13:16:47.0796 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/16 13:16:47.0890 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/16 13:16:48.0031 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/16 13:16:48.0156 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/16 13:16:48.0546 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/16 13:16:48.0578 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/16 13:16:48.0734 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/16 13:16:48.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/16 13:16:48.0937 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/16 13:16:49.0015 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/16 13:16:49.0156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/16 13:16:49.0234 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/16 13:16:49.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/16 13:16:49.0578 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/16 13:16:49.0687 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/16 13:16:49.0843 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/16 13:16:49.0906 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/16 13:16:50.0015 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/16 13:16:50.0203 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/16 13:16:50.0281 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/16 13:16:50.0437 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/16 13:16:50.0531 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/16 13:16:50.0625 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/16 13:16:50.0703 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/16 13:16:50.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/16 13:16:51.0140 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/16 13:16:51.0296 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/16 13:16:51.0437 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/16 13:16:51.0640 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/16 13:16:51.0937 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2010/12/16 13:16:52.0250 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2010/12/16 13:16:52.0453 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/16 13:16:52.0765 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/16 13:16:53.0140 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/16 13:16:53.0468 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/16 13:16:53.0781 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/16 13:16:54.0000 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/16 13:16:54.0218 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/16 13:16:54.0343 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/16 13:16:54.0515 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/16 13:16:54.0765 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/16 13:16:54.0906 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/16 13:16:55.0031 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/16 13:16:55.0156 is3srv (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\drivers\is3srv.sys
2010/12/16 13:16:55.0250 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/16 13:16:55.0500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/16 13:16:55.0718 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/16 13:16:56.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/16 13:16:56.0296 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/16 13:16:56.0671 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/16 13:16:56.0859 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/16 13:16:57.0093 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/16 13:16:57.0484 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/16 13:16:57.0781 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/16 13:16:58.0078 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/16 13:16:58.0421 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/16 13:16:58.0671 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/12/16 13:16:59.0265 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/16 13:16:59.0546 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/16 13:16:59.0859 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/16 13:16:59.0984 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/16 13:17:00.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/16 13:17:00.0187 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/16 13:17:00.0281 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/16 13:17:00.0484 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/16 13:17:00.0734 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/16 13:17:00.0828 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/16 13:17:01.0031 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/16 13:17:01.0187 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/16 13:17:01.0421 NDProxy (a2a5acc93dda2627faf2d82722d4b6db) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/16 13:17:01.0421 Suspicious file (Forged): C:\WINDOWS\system32\drivers\NDProxy.sys. Real md5: a2a5acc93dda2627faf2d82722d4b6db, Fake md5: 6215023940cfd3702b46abc304e1d45a
2010/12/16 13:17:01.0421 NDProxy - detected Forged file (1)
2010/12/16 13:17:01.0609 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/16 13:17:01.0828 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/16 13:17:02.0062 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/16 13:17:02.0375 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/16 13:17:02.0687 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/16 13:17:02.0875 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/16 13:17:03.0140 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/16 13:17:03.0328 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/16 13:17:03.0578 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/16 13:17:03.0750 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/16 13:17:03.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/16 13:17:04.0250 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/12/16 13:17:04.0500 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/16 13:17:05.0812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/16 13:17:06.0312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/16 13:17:06.0906 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/16 13:17:07.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/16 13:17:08.0046 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/16 13:17:08.0140 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/16 13:17:08.0218 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/16 13:17:08.0343 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/16 13:17:08.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/16 13:17:08.0609 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/16 13:17:08.0703 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/16 13:17:08.0906 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/16 13:17:09.0000 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/12/16 13:17:09.0140 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/16 13:17:09.0203 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/16 13:17:09.0281 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/16 13:17:09.0468 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/16 13:17:09.0625 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/16 13:17:09.0765 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/16 13:17:09.0859 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/16 13:17:10.0000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/16 13:17:10.0093 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/16 13:17:10.0265 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/16 13:17:10.0390 szkg5 (8fe4ecc7877fcfe4e59414708898073d) C:\WINDOWS\system32\DRIVERS\szkg.sys
2010/12/16 13:17:10.0421 szkgfs (410a02a920fa9daeec56364e839597c1) C:\WINDOWS\system32\drivers\szkgfs.sys
2010/12/16 13:17:10.0515 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/16 13:17:10.0640 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/16 13:17:10.0703 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/16 13:17:10.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/16 13:17:10.0890 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/16 13:17:11.0046 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/16 13:17:11.0203 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/16 13:17:11.0281 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/16 13:17:11.0390 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/16 13:17:11.0437 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/16 13:17:11.0453 Suspicious service (NoAccess): vbmaaa13
2010/12/16 13:17:11.0515 vbmaaa13 (744b1ec92e5f27a664d56ecdd607ea4b) C:\WINDOWS\system32\drivers\vbmaaa13.sys
2010/12/16 13:17:11.0515 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmaaa13.sys. md5: 744b1ec92e5f27a664d56ecdd607ea4b
2010/12/16 13:17:11.0531 vbmaaa13 - detected Locked service (1)
2010/12/16 13:17:11.0656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/16 13:17:11.0750 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/16 13:17:11.0859 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/16 13:17:11.0968 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/16 13:17:12.0125 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/16 13:17:12.0406 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/16 13:17:12.0484 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/16 13:17:12.0843 ================================================================================
2010/12/16 13:17:12.0843 Scan finished
2010/12/16 13:17:12.0843 ================================================================================
2010/12/16 13:17:12.0875 Detected object count: 2
2010/12/16 13:17:36.0609 NDProxy (a2a5acc93dda2627faf2d82722d4b6db) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/16 13:17:36.0609 Suspicious file (Forged): C:\WINDOWS\system32\drivers\NDProxy.sys. Real md5: a2a5acc93dda2627faf2d82722d4b6db, Fake md5: 6215023940cfd3702b46abc304e1d45a
2010/12/16 13:17:36.0640 C:\WINDOWS\system32\drivers\NDProxy.sys - copied to quarantine
2010/12/16 13:17:36.0640 Forged file(NDProxy) - User select action: Quarantine
2010/12/16 13:17:36.0781 vbmaaa13 (744b1ec92e5f27a664d56ecdd607ea4b) C:\WINDOWS\system32\drivers\vbmaaa13.sys
2010/12/16 13:17:36.0781 Suspicious file (NoAccess): C:\WINDOWS\system32\drivers\vbmaaa13.sys. md5: 744b1ec92e5f27a664d56ecdd607ea4b
2010/12/16 13:17:36.0796 C:\WINDOWS\system32\drivers\vbmaaa13.sys - copied to quarantine
2010/12/16 13:17:36.0796 Locked service(vbmaaa13) - User select action: Quarantine


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/12/16 13:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Stealth Objects
-------------------
Object: Hidden Code [ETHREAD: 0x82321350]
Process: System Address: 0xf886a730 Size: 162

Object: Hidden Code [ETHREAD: 0x82297c38]
Process: System Address: 0xf8872d68 Size: 170

Object: Hidden Code [ETHREAD: 0x8226a348]
Process: System Address: 0xf873ccca Size: 200

Object: Hidden Code [Driver: 4170752772, IRP_MJ_CREATE]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_CLOSE]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_READ]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_WRITE]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SET_INFORMATION]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_QUERY_EA]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SET_EA]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SHUTDOWN]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_CLEANUP]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SET_SECURITY]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_POWER]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_SET_QUOTA]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: 4170752772, IRP_MJ_PNP]
Process: System Address: 0xf8878dd9 Size: 255

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_CREATE]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_CLOSE]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_READ]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_WRITE]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_QUERY_EA]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SET_EA]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SHUTDOWN]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_CLEANUP]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SET_SECURITY]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_POWER]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_SET_QUOTA]
Process: System Address: 0x81e6d109 Size: 1460

Object: Hidden Code [Driver: vbmaaa13Ѕఅ瑎獆, IRP_MJ_PNP]
Process: System Address: 0x81e6d109 Size: 1460

#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:04:21 PM

Posted 27 December 2010 - 05:05 AM

Hello and welcome to Bleeping Computer :welcome:


Merry Christmas. Posted Image


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



If the system has been used after topic creation time we need to take a look at fresh logs. So, please post fresh copies of dds.txt & attach.txt logs.


Regards,
Georgi :hello:

cXfZ4wS.png


#6 sdt211

sdt211
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 29 December 2010 - 01:03 PM

Georgi,

Sorry it took me so long to reply. I ended up wiping the OS out and starting over even though that feels like defeat. The guy who owns the computer was one of them kind of people that have stand over your shoulder to see everything that is going on so just to get this done I reinstalled windows and called it quits. Oh well I got a free lunch out of it.

Thanks for your time
Scott

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:21 AM

Posted 29 December 2010 - 03:21 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users