nekote Posted January 27, 2010 ID:190323 Share Posted January 27, 2010 I hope I've got the right forum, this time!<Genuine apologies dumb faux pas!>My neighbor's computer, again.Third time. MBAM hidden and cannot run.The AVG Anti-Virus and ZoneAlarm (free versions) don't seem to be doing the job.What will?Norton 360?I have run the GMER scan, with the standard default options.Doesn't look like it picked up anything, except ZoneAlarm.Ran RootRepealer also.Didn't spot any villain, there, either. What's next? ComboFix? OLT? ...TYIAGMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-01-27 12:36:22Windows 5.1.2600 Service Pack 3Running: 4bobgt7w.exe; Driver: C:\DOCUME~1\JOHNAD~1\LOCALS~1\Temp\kwliapoc.sys---- System - GMER 1.0.15 ----SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xEDCE2FC0]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xEDCDFC80]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xEDCFA170]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xEDCE3580]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xEDCF7900]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xEDCF7B10]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xEDCFBB10]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xEDCE3670]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xEDCE0210]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xEDCFA9F0]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xEDCFA7A0]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xEDCF7280]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xEDCFAF10]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xEDCFAF90]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xEDCE0070]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xEDCF9180]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xEDCF8F40]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xEDCFB6F0]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xEDCFB150]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xEDCE2BE0]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xEDCFB540]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xEDCE3190]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xEDCE0440]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xEDCFA4E0]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xEDCF8200]SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xEDCF8080]Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwClose [0xECFC4B4C]Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwCreateSection [0xECFC4DB7]Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwSetInformationFile [0xECFC4235]Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) ZwWriteFile [0xECFC3E81]Code \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) IoCreateFileCode \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtCloseCode \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtCreateSectionCode \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtSetInformationFileCode \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.) NtWriteFile---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [80, 35, CE, ED, 00, 79, CF, ...] {XOR BYTE [0x7900edce], 0xcf; IN EAX, DX; ADC [EBX-0x31], BH; IN EAX, DX}PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP ECFC4DBB \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)PAGE ntoskrnl.exe!NtClose 80567A6D 5 Bytes JMP ECFC4B50 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)PAGE ntoskrnl.exe!IoCreateFile 8056F4AB 5 Bytes JMP ECFC39AA \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)PAGE ntoskrnl.exe!NtSetInformationFile 80576CA4 5 Bytes JMP ECFC4239 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)PAGE ntoskrnl.exe!NtWriteFile 80576F4D 7 Bytes JMP ECFC3E85 \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)? srescan.sys The system cannot find the file specified. !PAGE Fastfat.SYS ECF6A9C8 7 Bytes JMP ECFC539E \SystemRoot\system32\DRIVERS\css-dvp.sys (Dynamic Virus Protection/Command Software Systems, Inc.)---- Kernel IAT/EAT - GMER 1.0.15 ----IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [EDCE7B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [EDCE7930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [EDCE8260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [EDCE5E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [EDCE5E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [EDCE7B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [EDCE7930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [EDCE8260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [EDCE7B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [EDCE5E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [EDCE8260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [EDCE7930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [EDCE8260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [EDCE7930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [EDCE7B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [EDD00B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [EDCE5E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [EDCE7B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [EDCE7930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [EDCE8260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [EDCE7B20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [EDCE5E90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [EDCE8260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [EDCE7930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [EDCE08D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [EDCE0A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [EDCE05E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [EDCE0980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)---- Devices - GMER 1.0.15 ----Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)---- Files - GMER 1.0.15 ----File C:\WINDOWS\temp\0475ab9d-7a77-41a1-abf1-a3ef56f0a626.tmp 0 bytes---- EOF - GMER 1.0.15 -------------------------------------------------------------------------------------------------------------------------------ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2010/01/27 15:44Program Version: Version 1.3.5.0Windows Version: Windows XP SP3==================================================Hidden/Locked Files-------------------Path: C:\hiberfil.sysStatus: Locked to the Windows API!Path: C:\WINDOWS\Minidump\MinidumpStatus: Locked to the Windows API!Path: C:\WINDOWS\MUI\MUIStatus: Locked to the Windows API!Path: C:\WINDOWS\PIF\PIFStatus: Locked to the Windows API!Path: C:\WINDOWS\Config\ConfigStatus: Locked to the Windows API!Path: C:\WINDOWS\Connection Wizard\Connection WizardStatus: Locked to the Windows API!Path: C:\WINDOWS\SECURITY\LOGS\LOGSStatus: Locked to the Windows API!Path: C:\WINDOWS\MSAPPS\MSINFO\MSINFOStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\IMEJP98\IMEJP98Status: Locked to the Windows API!Path: C:\WINDOWS\Java\TrustLib\TrustLibStatus: Locked to the Windows API!Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTempStatus: Locked to the Windows API!Path: C:\WINDOWS\Registration\CRMLog\CRMLogStatus: Locked to the Windows API!Path: C:\WINDOWS\Debug\UserMode\UserModeStatus: Locked to the Windows API!Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168Status: Locked to the Windows API!Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729Status: Locked to the Windows API!Path: C:\WINDOWS\$hf_mig$\KB943460\KB943460Status: Locked to the Windows API!Path: C:\WINDOWS\assembly\tmp\tmpStatus: Locked to the Windows API!Path: C:\WINDOWS\Cache\Adobe Reader 6.0\Adobe Reader 6.0Status: Locked to the Windows API!Path: c:\documents and settings\johnadmin\local settings\temp\~df247d.tmpStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: c:\documents and settings\johnadmin\local settings\temp\~df36ed.tmpStatus: Allocation size mismatch (API: 16384, Raw: 0)Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\DownloadedStatus: Locked to the Windows API!Path: C:\WINDOWS\REPAIR\Backup\ServiceState\ServiceStateStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\CHSIME\APPLETS\APPLETSStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\CHTIME\Applets\AppletsStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\IMEJP\APPLETS\APPLETSStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\IMJP8_1\APPLETS\APPLETSStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETSStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\IMKR6_1\DICTS\DICTSStatus: Locked to the Windows API!Path: C:\WINDOWS\IME\SHARED\RES\RESStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\ERRORREP\QHEADLES\QHEADLESStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\ERRORREP\QSIGNOFF\QSIGNOFFStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\HelpCtr\BATCH\BATCHStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\HelpCtr\HelpFiles\HelpFilesStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\HelpCtr\InstalledSKUs\InstalledSKUsStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\HelpCtr\Temp\TempStatus: Locked to the Windows API!Path: C:\WINDOWS\Sun\Java\Deployment\DeploymentStatus: Locked to the Windows API!Path: C:\Documents and Settings\All Users\Application Data\avg9\Log\avgrs.logStatus: Locked to the Windows API!Path: C:\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backupStatus: Locked to the Windows API!Path: C:\WINDOWS\SoftwareDistribution\Download\467d56591ed085161e5bb3d2f520fada\update\updateStatus: Locked to the Windows API!Path: C:\WINDOWS\SoftwareDistribution\Download\5cfa09586faf6d9470f0c817d855bb6b\backup\backupStatus: Locked to the Windows API!Path: C:\WINDOWS\SoftwareDistribution\Download\85947e1a809663c7f480717673587a59\backup\backupStatus: Locked to the Windows API!Path: C:\WINDOWS\SoftwareDistribution\Download\9868363812bbe4a0a4d814b7943ba906\backup\backupStatus: Locked to the Windows API!Path: C:\WINDOWS\SoftwareDistribution\Download\d3767eab8f4479a8d252b47e8ec225c8\backup\backupStatus: Locked to the Windows API!Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET FilesStatus: Locked to the Windows API!Path: C:\WINDOWS\PCHealth\HelpCtr\System\DFS\DFSStatus: Locked to the Windows API!Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP13D.tmp\ZAP13D.tmpStatus: Locked to the Windows API!Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1B2.tmp\ZAP1B2.tmpStatus: Locked to the Windows API!Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C6.tmp\ZAP2C6.tmpStatus: Locked to the Windows API!Path: C:\Documents and Settings\Pedro\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst:Mozy.RDADS.TMPStatus: Visible to the Windows API, but not on disk.Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\CbzStatus: Locked to the Windows API!Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\LibStatus: Locked to the Windows API!Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\WaveStatus: Locked to the Windows API!Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind LogsStatus: Locked to the Windows API!Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729Status: Locked to the Windows API!Path: C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0Status: Locked to the Windows API!Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729Status: Locked to the Windows API! Link to post Share on other sites More sharing options...
nekote Posted January 27, 2010 Author ID:190427 Share Posted January 27, 2010 I can't edit the previous post, but I do need to add a detail.Somewhere in this process, I used Process Explorer to spot and kill a process from a "company" with 2 groups of non-sensical letters. ZoneAlarm also had a request from the same application, to connect to the Internet, which was denied.I'm a bit (over?) anxious / eager to try to get this fixed, so I went ahead and burned a reatogo / OLT disk, booted it up and ran the scan.In addition to getting this fixed, I would greatly like to find Anti-Virus software, so this bad thing won't come back, probably further improved, for a fourth round. Notron 360 has been mentioned a "good". Any comment or suggestions?Some suspicious characters, here (possibly from reatogo / OTL?):[2099/01/01 12:00:00 | 00,061,952 | -HS- | M] () -- C:\WINDOWS\System32\lekefoji.dll[2099/01/01 12:00:00 | 00,055,296 | -HS- | M] () -- C:\WINDOWS\System32\zehekilo.dll[2099/01/01 12:00:00 | 00,055,296 | -HS- | M] () -- C:\WINDOWS\System32\woyobizi.dll[2099/01/01 12:00:00 | 00,055,296 | -HS- | M] () -- C:\WINDOWS\System32\guhegesi.dll[2099/01/01 12:00:00 | 00,049,152 | -HS- | M] () -- C:\WINDOWS\System32\sayiwido.dll[2026/02/17 08:19:10 | 00,003,120 | ---- | M] () -- C:\WINDOWS\System32\ALLFSAF6a.ocxThanks, again, for the time and the assistance!Best Regards.OTL.txtExtras.txt Link to post Share on other sites More sharing options...
nekote Posted January 29, 2010 Author ID:191184 Share Posted January 29, 2010 I tried renaming those suspicious looking files to .badDidn't make any difference.Upon investigating further, I discovered it was smss.exeThat virus is pretty easy to kill.I'm all set.You can close the thread, if that is something done. Link to post Share on other sites More sharing options...
Recommended Posts