Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sptd.sys, spim.sys, spta.sys etc.


  • Please log in to reply
8 replies to this topic

#1 Montar

Montar

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 25 December 2010 - 05:19 PM

As title report I've found some hooked functions with Rootrepeal.
The name changes everytime. could it be AVG (working during the scan??)
every scan is negative with mbam or avg.
Should I post a log to the log-forum??
please tell me if I am infected. I suppose yes.
tnx

BC AdBot (Login to Remove)

 


#2 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:49 PM

Posted 25 December 2010 - 07:15 PM

Don't go there yet. The first thing you should do is to download Malwarebytes Anti-Malware from www.malwarebytes.org and then after installing the application make sure that the following are checked: launch Malwarebytes Anti-Malware and update malwarebytes Anti-Malware. Then click finish on the last screen. The program will update itself to the latest version, and then it will open up for you. Run a full scan. if you are asked which drives to scan, leave all the drives selected. Do not use the computer while the scan is running. After the scan is finished, A log will open up in notepad. Paste the results of the log in your next reply so that the members here can review it. If for some reason, the log does not automatically open, it can be viewed by clicking on the logs tab in MBAM. Hope this helps,

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#3 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 26 December 2010 - 08:17 AM

first of all thank for quick reply.
here's mabam log after i,ve quarantined 3 entries found:


---------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versione database: 5396

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/12/2010 14.01.44
mbam-log-2010-12-26 (14-01-44).txt

Tipo di scansione: Scansione completa (C:\|)
Elementi esaminati: 261915
Tempo trascorso: 1 ore, 39 minuti, 55 secondi

Processi infetti in memoria: 0
Moduli di memoria infetti: 0
Chiavi di registro infette: 0
Valori di registro infetti: 0
Voci infette nei dati di registro: 1
Cartelle infette: 0
File infetti: 2

Processi infetti in memoria:
(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:
(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:
(Non sono stati rilevati elementi nocivi)

Valori di registro infetti:
(Non sono stati rilevati elementi nocivi)

Voci infette nei dati di registro:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Cartelle infette:
(Non sono stati rilevati elementi nocivi)

File infetti:
c:\RECYCLER\s-1-5-21-1409082233-1425521274-839522115-1003\Dc126.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\system volume information\_restore{066248bf-e35f-4cf9-8feb-3cf7bfb06a6e}\RP5\A0000110.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.

#4 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 26 December 2010 - 08:54 AM

something more from sysprot (might it be useful??):


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************
******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: xwqvvt.sys
Service Name: ---
Module Base: F7616000
Module End: F7624000
Hidden: Yes

Module Name: spuw.sys
Service Name: ---
Module Base: F7502000
Module End: F75F5000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: A9E08000
Module End: A9EDE000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwCreateKey
Address: F75030E0
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwEnumerateKey
Address: F751BDA4
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwEnumerateValueKey
Address: F751C132
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwOpenKey
Address: F75030C0
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwOpenProcess
Address: A95586C0
Driver Base: A9556000
Driver End: A9560000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwQueryKey
Address: F751C20A
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwQueryValueKey
Address: F751C08A
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwSetValueKey
Address: F751C29C
Driver Base: F7502000
Driver End: F75F5000
Driver Name: spuw.sys

Function Name: ZwTerminateProcess
Address: A9558770
Driver Base: A9556000
Driver End: A9560000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwTerminateThread
Address: A9558810
Driver Base: A9556000
Driver End: A9560000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

Function Name: ZwWriteVirtualMemory
Address: A95588B0
Driver Base: A9556000
Driver End: A9560000
Driver Name: \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
IRP Hooks:
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F7503000
Hooking Module: spuw.sys

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86B661F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8603F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8603F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8603F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8603F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8603F1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8603F1F8
Hooking Module: _unknown_

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_CREATE
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_CLOSE
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_READ
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_WRITE
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SET_EA
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_CLEANUP
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_POWER
Jump To: F750AE30
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: F7519518
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: \Driver\PCI_PNP6494
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: F7540ABC
Hooking Module: spuw.sys

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86BD61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 85D63500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 85D63500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 85D63500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 85D63500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 85D63500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 85EEC1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 860161F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 860161F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 860161F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 860161F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 860161F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 860161F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\VClone.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 86BD51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\VClone.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 86BD51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\VClone.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 86BD51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\VClone.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 86BD51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\VClone.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 86BD51F8
Hooking Module: _unknown_

******************************************************************************************
******************************************************************************************

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:49 PM

Posted 30 December 2010 - 07:23 PM

Hello,

I have deleted your duplicate topic in the log forum. I cannot read the sys. log, but there is nothing that you have stated yet that actually indicates the presence of malware.

Many things create hooks in windows, so the presence of hooks in and of themselves do not suggest malware.

Are you experiencing any issues with your computer? Redirections, slowdowns, inability to update, pop-ups, other issues?

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 31 December 2010 - 05:35 AM

nothing strange but that *.sys changing name worried me.
so if you say I'm ok that's all.
A big big thank for your time.
Davide

#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,011 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:49 PM

Posted 31 December 2010 - 09:19 AM

Hello,

I cannot make that determination.

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#8 Montar

Montar
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 03 January 2011 - 02:40 PM

Orange Blossom :cherry:


OK I'll do it asap;
done!!

the defogger step was definitive: hooks are associated with cd emulation sw even with no fake cd active!
tnx. please close the thread

Edited by Montar, 03 January 2011 - 03:00 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:49 PM

Posted 04 January 2011 - 10:37 AM

[quote]please close the thread ]/quote]We do not do that until you start your new topic in the proper forum. I just checked and there is nothing listed except four previously closed topics. It appears you keep reinfecting your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users