Results 1 to 2 of 2

Thread: New Log

  1. #1
    Senior Member TwistedMike's Avatar
    Join Date
    Apr 2008
    Location
    Canada
    Posts
    129

    Default New Log

    Using a new app McAfee root kit detective v 1.1 any help would be much appreciated
    Code:
    McAfee(R) Rootkit Detective 1.1 scan report
    On 05-03-2009 at 14:58:23
    OS-Version 5.1.2600
    Service Pack 3.0
    ====================================
    
    Object-Type: SSDT-hook
    Object-Name: ZwAdjustPrivilegesToken
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwClose
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwConnectPort
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwCreateFile
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwCreateKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwCreateSymbolicLinkObject
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwCreateThread
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwDeleteKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwDeleteValueKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwDeviceIoControlFile
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwDuplicateObject
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwEnumerateKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwEnumerateValueKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwFsControlFile
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwLoadDriver
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwOpenFile
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwOpenKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwOpenProcess
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwOpenSection
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwOpenThread
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwQueryKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwQueryMultipleValueKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwQueryValueKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwQueueApcThread
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwReplaceKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwRequestWaitReplyPort
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwRestoreKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwResumeThread
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSaveKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSecureConnectPort
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSetContextThread
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSetSecurityObject
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSetSystemInformation
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSetValueKey
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSuspendProcess
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSuspendThread
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwSystemDebugControl
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwTerminateProcess
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: SSDT-hook
    Object-Name: ZwWriteVirtualMemory
    Object-Path: C:\WINDOWS\system32\drivers\klif.sys
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_SYSTEM_CONTROL
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_POWER
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_CLEANUP
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_SHUTDOWN
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_INTERNAL_DEVICE_CONTROL
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_DEVICE_CONTROL
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_FLUSH_BUFFERS
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_WRITE
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_READ
    Object-Path: 
    
    Object-Type: IRP-hook
    Object-Name: \Driver\Ftdisk->IRP_MJ_CREATE
    Object-Path: 
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Unable to access registry key
    
    Object-Type: Registry-key
    Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Unable to access registry key
    
    Object-Type: Registry-key
    Object-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Unable to access registry key
    
    Object-Type: Registry-key
    Object-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Unable to access registry key
    
    Object-Type: Registry-value
    Object-Name: khjeh
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: a0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: khjeh
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: p0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: h0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: khjeh
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: s1
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: s2
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: g0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: h0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: 00000001ontrolSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: 0Jf40M\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Unable to access registry key
    
    Object-Type: Registry-key
    Object-Name: 19659239224E364682FA4BAF72C53EA4td\Cfg
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Unable to access registry key
    
    Object-Type: Registry-key
    Object-Name: 00000001ontrolSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Unable to access registry key
    
    Object-Type: Registry-key
    Object-Name: 0Jf40M\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: (Default)
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Unable to access registry key
    
    Object-Type: Registry-value
    Object-Name: khjeh
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: a0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: khjeh
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: p0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: h0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: khjeh
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: s1
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: s2
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: g0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: h0
    Object-Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: DataEM\ControlSet001\Services\sptd\Cfg
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771 System Provider\*Local Machine*\Data
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: 00000000-0000-0000-0000-000000000000 System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: {6340E680-FF06-435f-8767-B79D88AEBD4D}ystem Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: Item Data
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000\{6340E680-FF06-435f-8767-B79D88AEBD4D}
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: Display String
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\00000000-0000-0000-0000-000000000000
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: Display String
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: Data 2RE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
    Status: Hidden
    
    Object-Type: Registry-key
    Object-Name: WindowsE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
    Status: Hidden
    
    Object-Type: Registry-value
    Object-Name: Value
    Object-Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\Windows
    Status: Hidden
    This app can also help with your root kit signatures.
    For the fastest, safest browsing experience get Google Chrome

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Hello TwistedMike,

    This is the malware removal forum and the procedure is here:
    "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance)

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •