Antivirus software blocked! - Kaspersky Lab Forum

IPB

Kaspersky Lab Technical Support

Kaspersky Lab's Fan Club

Welcome Guest ( Log In | Register )

Kaspersky Lab Forum > English User Forum > Virus-related issues

4 Pages

< 1 2 3 4 >

Reply to this topic

Start new topic

Antivirus software blocked!

snook View Member Profile	24.09.2006 22:30 Post #41
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace	Hello , Darik Before removing the Trojan ... and for information Could you check if the hidden process is visible by SEEM? Thanks . This post has been edited by snook: 24.09.2006 22:32 -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation. Snooker blog GSi Parser 2

Don Pelotas View Member Profile	24.09.2006 23:07 Post #42
Global Moderator Group: Global moderators Posts: 25600 Joined: 7.04.2005	QUOTE(Darik @ 24.09.2006 21:03) I already did so but in normal mode cause I cannot go in safemode. And the log from backlight ( I don't know if it's full cause I haven't done step 2 - clean) 09/24/06 19:49:29 [Info]: BlackLight Engine 1.0.46 initialized 09/24/06 19:49:29 [Info]: OS: 5.1 build 2600 (Service Pack 1) 09/24/06 19:49:29 [Note]: 7019 4 09/24/06 19:49:29 [Note]: 7005 0 09/24/06 19:49:33 [Note]: 7006 0 09/24/06 19:49:33 [Note]: 7011 800 09/24/06 19:49:34 [Note]: 7026 0 09/24/06 19:49:34 [Note]: 7026 0 09/24/06 19:49:39 [Note]: FSRAW library version 1.7.1019 09/24/06 19:49:46 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\hidr.exe 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:49:46 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:49:46 [Note]: 10002 3 09/24/06 19:49:46 [Note]: 10002 3 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:49:46 [Note]: 10002 2 09/24/06 19:54:15 [Note]: 10002 2 09/24/06 19:54:15 [Note]: 10002 2 lucianbara you were right! Any advise on removing this trojan? Run Blacklight again and clean -------------------- Errare humanum est Kaspersky Product Downloads Kaspersky Webscanner

Darik View Member Profile	25.09.2006 14:21 Post #43
Member Group: Members Posts: 19 Joined: 24.09.2006	QUOTE(Don Pelotas @ 24.09.2006 21:07) Run Blacklight again and clean Blacklight cannot clean this files. After rescan the files still present. 09/25/06 11:37:18 [Info]: BlackLight Engine 1.0.46 initialized 09/25/06 11:37:18 [Info]: OS: 5.1 build 2600 (Service Pack 1) 09/25/06 11:37:18 [Note]: 7019 4 09/25/06 11:37:18 [Note]: 7005 0 09/25/06 11:37:20 [Note]: 7006 0 09/25/06 11:37:20 [Note]: 7011 1908 09/25/06 11:37:20 [Note]: 7026 0 09/25/06 11:37:21 [Note]: 7026 0 09/25/06 11:37:25 [Note]: FSRAW library version 1.7.1019 09/25/06 11:37:40 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\hidr.exe 09/25/06 11:37:40 [Note]: 10002 2 09/25/06 11:37:40 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys 09/25/06 11:37:40 [Note]: 10002 2 09/25/06 11:37:41 [Note]: 10002 3 09/25/06 11:37:41 [Note]: 10002 3 09/25/06 11:37:41 [Note]: 10002 2 09/25/06 11:37:41 [Note]: 10002 2 09/25/06 11:40:39 [Note]: 7007 0 I've also tried FxBeagle.exe (Removal Tool for W32.Beagle@mm/Trojan.Tooso) without success. It doesn't found anything.

Darik View Member Profile	25.09.2006 14:31 Post #44
Member Group: Members Posts: 19 Joined: 24.09.2006	snook, here is the log file from seem: 0 ZwAcceptConnectPort 0x8056B5E7 0x8096B5E7 d:\windows\system32\ntoskrnl.exe 1 ZwAccessCheck 0x805660C2 0x809660C2 d:\windows\system32\ntoskrnl.exe 2 ZwAccessCheckAndAuditAlarm 0x80573195 0x80973195 d:\windows\system32\ntoskrnl.exe 3 ZwAccessCheckByType 0x805C5A70 0x809C5A70 d:\windows\system32\ntoskrnl.exe 4 ZwAccessCheckByTypeAndAuditAlarm 0x8056C4CE 0x8096C4CE d:\windows\system32\ntoskrnl.exe 5 ZwAccessCheckByTypeResultList 0x80619AB3 0x80A19AB3 d:\windows\system32\ntoskrnl.exe 6 ZwAccessCheckByTypeResultListAndAuditAlarm 0x8061BC3E 0x80A1BC3E d:\windows\system32\ntoskrnl.exe 7 ZwAccessCheckByTypeResultListAndAuditAlarmByHandle 0x8061BC7C 0x80A1BC7C d:\windows\system32\ntoskrnl.exe 8 ZwAddAtom 0x8057B3A1 0x8097B3A1 d:\windows\system32\ntoskrnl.exe 9 ZwAddBootEntry 0x80629194 0x80A29194 d:\windows\system32\ntoskrnl.exe 10 ZwAdjustGroupsToken 0x80619598 0x80A19598 d:\windows\system32\ntoskrnl.exe 11 ZwAdjustPrivilegesToken 0x8057294D 0x8097294D d:\windows\system32\ntoskrnl.exe 12 ZwAlertResumeThread 0x80613277 0x80A13277 d:\windows\system32\ntoskrnl.exe 13 ZwAlertThread 0x8055907F 0x8095907F d:\windows\system32\ntoskrnl.exe 14 ZwAllocateLocallyUniqueId 0x8056D974 0x8096D974 d:\windows\system32\ntoskrnl.exe 15 ZwAllocateUserPhysicalPages 0x8060C4D3 0x80A0C4D3 d:\windows\system32\ntoskrnl.exe 16 ZwAllocateUuids 0x805733BF 0x809733BF d:\windows\system32\ntoskrnl.exe 17 ZwAllocateVirtualMemory 0x80556047 0x80956047 d:\windows\system32\ntoskrnl.exe 18 ZwAreMappedFilesTheSame 0x8058C772 0x8098C772 d:\windows\system32\ntoskrnl.exe 19 ZwAssignProcessToJobObject 0x8058AEFE 0x8098AEFE d:\windows\system32\ntoskrnl.exe 20 ZwCallbackReturn 0x804DEBF0 0x808DEBF0 d:\windows\system32\ntoskrnl.exe 21 ZwCancelDeviceWakeupRequest 0x80610647 0x80A10647 d:\windows\system32\ntoskrnl.exe 22 ZwCancelIoFile 0x805896BA 0x809896BA d:\windows\system32\ntoskrnl.exe 23 ZwCancelTimer 0x804EFA62 0x808EFA62 d:\windows\system32\ntoskrnl.exe 24 ZwClearEvent 0x80554A0E 0x80954A0E d:\windows\system32\ntoskrnl.exe 25 ZwClose 0xA74258C0 0x80954077 d:\windows\system32\drivers\klif.sys 26 ZwCloseObjectAuditAlarm 0x8055EBFB 0x8095EBFB d:\windows\system32\ntoskrnl.exe 27 ZwCompactKeys 0x8062DEF1 0x80A2DEF1 d:\windows\system32\ntoskrnl.exe 28 ZwCompareTokens 0x8061C93F 0x80A1C93F d:\windows\system32\ntoskrnl.exe 29 ZwCompleteConnectPort 0x8056BA29 0x8096BA29 d:\windows\system32\ntoskrnl.exe 30 ZwCompressKey 0x8062E11D 0x80A2E11D d:\windows\system32\ntoskrnl.exe 31 ZwConnectPort 0x8056BE2A 0x8096BE2A d:\windows\system32\ntoskrnl.exe 32 ZwContinue 0x804DE298 0x808DE298 d:\windows\system32\ntoskrnl.exe 33 ZwCreateDebugObject 0x805C962B 0x809C962B d:\windows\system32\ntoskrnl.exe 34 ZwCreateDirectoryObject 0x805A1A9B 0x809A1A9B d:\windows\system32\ntoskrnl.exe 35 ZwCreateEvent 0x8055F0FB 0x8095F0FB d:\windows\system32\ntoskrnl.exe 36 ZwCreateEventPair 0x8062919D 0x80A2919D d:\windows\system32\ntoskrnl.exe 37 ZwCreateFile 0xF7B9017E 0x80957C20 d:\documents and settings\gb\application data\hidires\m_hook.sys 38 ZwCreateIoCompletion 0x8057BC67 0x8097BC67 d:\windows\system32\ntoskrnl.exe 39 ZwCreateJobObject 0x805C261E 0x809C261E d:\windows\system32\ntoskrnl.exe 40 ZwCreateJobSet 0x8061369B 0x80A1369B d:\windows\system32\ntoskrnl.exe 41 ZwCreateKey 0x8055E60F 0x8095E60F d:\windows\system32\ntoskrnl.exe 42 ZwCreateMailslotFile 0x8058B7AD 0x8098B7AD d:\windows\system32\ntoskrnl.exe 43 ZwCreateMutant 0x80563467 0x80963467 d:\windows\system32\ntoskrnl.exe 44 ZwCreateNamedPipeFile 0x805663FE 0x809663FE d:\windows\system32\ntoskrnl.exe 45 ZwCreatePagingFile 0x805B1010 0x809B1010 d:\windows\system32\ntoskrnl.exe 46 ZwCreatePort 0x80578F75 0x80978F75 d:\windows\system32\ntoskrnl.exe 47 ZwCreateProcess 0xA7425580 0x809A7DCD d:\windows\system32\drivers\klif.sys 48 ZwCreateProcessEx 0xA7425720 0x80974107 d:\windows\system32\drivers\klif.sys 49 ZwCreateProfile 0x806296DF 0x80A296DF d:\windows\system32\ntoskrnl.exe 50 ZwCreateSection 0xA7425A00 0x80952CC9 d:\windows\system32\drivers\klif.sys 51 ZwCreateSemaphore 0x8057B1E9 0x8097B1E9 d:\windows\system32\ntoskrnl.exe 52 ZwCreateSymbolicLinkObject 0x8059E95D 0x8099E95D d:\windows\system32\ntoskrnl.exe 53 ZwCreateThread 0xA7426240 0x80964C10 d:\windows\system32\drivers\klif.sys 54 ZwCreateTimer 0x80583FB6 0x80983FB6 d:\windows\system32\ntoskrnl.exe 55 ZwCreateToken 0x805C33DA 0x809C33DA d:\windows\system32\ntoskrnl.exe 56 ZwCreateWaitablePort 0x805C2434 0x809C2434 d:\windows\system32\ntoskrnl.exe 57 ZwDebugActiveProcess 0x805C992F 0x809C992F d:\windows\system32\ntoskrnl.exe 58 ZwDebugContinue 0x805C8DC8 0x809C8DC8 d:\windows\system32\ntoskrnl.exe 59 ZwDelayExecution 0x80553270 0x80953270 d:\windows\system32\ntoskrnl.exe 60 ZwDeleteAtom 0x8056AB7B 0x8096AB7B d:\windows\system32\ntoskrnl.exe 61 ZwDeleteBootEntry 0x80610647 0x80A10647 d:\windows\system32\ntoskrnl.exe 62 ZwDeleteFile 0x805C1B30 0x809C1B30 d:\windows\system32\ntoskrnl.exe 63 ZwDeleteKey 0x80585F16 0x80985F16 d:\windows\system32\ntoskrnl.exe 64 ZwDeleteObjectAuditAlarm 0x805CE28F 0x809CE28F d:\windows\system32\ntoskrnl.exe 65 ZwDeleteValueKey 0x8057FB38 0x8097FB38 d:\windows\system32\ntoskrnl.exe 66 ZwDeviceIoControlFile 0x80554E4C 0x80954E4C d:\windows\system32\ntoskrnl.exe 67 ZwDisplayString 0x805AFE2A 0x809AFE2A d:\windows\system32\ntoskrnl.exe 68 ZwDuplicateObject 0x8056460C 0x8096460C d:\windows\system32\ntoskrnl.exe 69 ZwDuplicateToken 0x80559FB8 0x80959FB8 d:\windows\system32\ntoskrnl.exe 70 ZwEnumerateBootEntries 0x80629194 0x80A29194 d:\windows\system32\ntoskrnl.exe 71 ZwEnumerateKey 0xF7B904C2 0x80962345 d:\documents and settings\gb\application data\hidires\m_hook.sys 72 ZwEnumerateSystemEnvironmentValuesEx 0x80628C6C 0x80A28C6C d:\windows\system32\ntoskrnl.exe 73 ZwEnumerateValueKey 0xF7B9020E 0x8097A8CC d:\documents and settings\gb\application data\hidires\m_hook.sys 74 ZwExtendSection 0x8058BA23 0x8098BA23 d:\windows\system32\ntoskrnl.exe 75 ZwFilterToken 0x805BFF8F 0x809BFF8F d:\windows\system32\ntoskrnl.exe 76 ZwFindAtom 0x8058015B 0x8098015B d:\windows\system32\ntoskrnl.exe 77 ZwFlushBuffersFile 0x8056A573 0x8096A573 d:\windows\system32\ntoskrnl.exe 78 ZwFlushInstructionCache 0x80568497 0x80968497 d:\windows\system32\ntoskrnl.exe 79 ZwFlushKey 0x805878AB 0x809878AB d:\windows\system32\ntoskrnl.exe 80 ZwFlushVirtualMemory 0x8059A790 0x8099A790 d:\windows\system32\ntoskrnl.exe 81 ZwFlushWriteBuffer 0x8060CD9B 0x80A0CD9B d:\windows\system32\ntoskrnl.exe 82 ZwFreeUserPhysicalPages 0x8060C871 0x80A0C871 d:\windows\system32\ntoskrnl.exe 83 ZwFreeVirtualMemory 0x80556FC7 0x80956FC7 d:\windows\system32\ntoskrnl.exe 84 ZwFsControlFile 0x80555679 0x80955679 d:\windows\system32\ntoskrnl.exe 85 ZwGetContextThread 0x805897D5 0x809897D5 d:\windows\system32\ntoskrnl.exe 86 ZwGetDevicePowerState 0x8061065D 0x80A1065D d:\windows\system32\ntoskrnl.exe 87 ZwGetPlugPlayEvent 0x8058DE12 0x8098DE12 d:\windows\system32\ntoskrnl.exe 88 ZwGetWriteWatch 0x80530024 0x80930024 d:\windows\system32\ntoskrnl.exe 89 ZwImpersonateAnonymousToken 0x8061C5A5 0x80A1C5A5 d:\windows\system32\ntoskrnl.exe 90 ZwImpersonateClientOfPort 0x8056C50B 0x8096C50B d:\windows\system32\ntoskrnl.exe 91 ZwImpersonateThread 0x8057B58F 0x8097B58F d:\windows\system32\ntoskrnl.exe 92 ZwInitializeRegistry 0x805C4D4A 0x809C4D4A d:\windows\system32\ntoskrnl.exe 93 ZwInitiatePowerAction 0x8061045D 0x80A1045D d:\windows\system32\ntoskrnl.exe 94 ZwIsProcessInJob 0x80613571 0x80A13571 d:\windows\system32\ntoskrnl.exe 95 ZwIsSystemResumeAutomatic 0x8061064F 0x80A1064F d:\windows\system32\ntoskrnl.exe 96 ZwListenPort 0x805C4E22 0x809C4E22 d:\windows\system32\ntoskrnl.exe 97 ZwLoadDriver 0x80597880 0x80997880 d:\windows\system32\ntoskrnl.exe 98 ZwLoadKey 0x805A1EE2 0x809A1EE2 d:\windows\system32\ntoskrnl.exe 99 ZwLoadKey2 0x805A1EF4 0x809A1EF4 d:\windows\system32\ntoskrnl.exe 100 ZwLockFile 0x8057B995 0x8097B995 d:\windows\system32\ntoskrnl.exe 101 ZwLockProductActivationKeys 0x805A2E62 0x809A2E62 d:\windows\system32\ntoskrnl.exe 102 ZwLockRegistryKey 0x805BE19A 0x809BE19A d:\windows\system32\ntoskrnl.exe 103 ZwLockVirtualMemory 0x805C808C 0x809C808C d:\windows\system32\ntoskrnl.exe 104 ZwMakePermanentObject 0x8059E7AF 0x8099E7AF d:\windows\system32\ntoskrnl.exe 105 ZwMakeTemporaryObject 0x8059E906 0x8099E906 d:\windows\system32\ntoskrnl.exe 106 ZwMapUserPhysicalPages 0x8060B7ED 0x80A0B7ED d:\windows\system32\ntoskrnl.exe 107 ZwMapUserPhysicalPagesScatter 0x8060BD87 0x80A0BD87 d:\windows\system32\ntoskrnl.exe 108 ZwMapViewOfSection 0x8055CA31 0x8095CA31 d:\windows\system32\ntoskrnl.exe 109 ZwModifyBootEntry 0x80610647 0x80A10647 d:\windows\system32\ntoskrnl.exe 110 ZwNotifyChangeDirectoryFile 0x8057AD74 0x8097AD74 d:\windows\system32\ntoskrnl.exe 111 ZwNotifyChangeKey 0x8056DFC1 0x8096DFC1 d:\windows\system32\ntoskrnl.exe 112 ZwNotifyChangeMultipleKeys 0x8056DDDA 0x8096DDDA d:\windows\system32\ntoskrnl.exe 113 ZwOpenDirectoryObject 0x80571E87 0x80971E87 d:\windows\system32\ntoskrnl.exe 114 ZwOpenEvent 0x80558F51 0x80958F51 d:\windows\system32\ntoskrnl.exe 115 ZwOpenEventPair 0x8062926F 0x80A2926F d:\windows\system32\ntoskrnl.exe 116 ZwOpenFile 0x8055B112 0x8095B112 d:\windows\system32\ntoskrnl.exe 117 ZwOpenIoCompletion 0x806007EB 0x80A007EB d:\windows\system32\ntoskrnl.exe 118 ZwOpenJobObject 0x8058AC47 0x8098AC47 d:\windows\system32\ntoskrnl.exe 119 ZwOpenKey 0x8055DCAC 0x8095DCAC d:\windows\system32\ntoskrnl.exe 120 ZwOpenMutant 0x8056630F 0x8096630F d:\windows\system32\ntoskrnl.exe 121 ZwOpenObjectAuditAlarm 0x805994A6 0x809994A6 d:\windows\system32\ntoskrnl.exe 122 ZwOpenProcess 0xA7424FE0 0x80961A24 d:\windows\system32\drivers\klif.sys 123 ZwOpenProcessToken 0x80555C9B 0x80955C9B d:\windows\system32\ntoskrnl.exe 124 ZwOpenProcessTokenEx 0x80555CB1 0x80955CB1 d:\windows\system32\ntoskrnl.exe 125 ZwOpenSection 0x8056171E 0x8096171E d:\windows\system32\ntoskrnl.exe 126 ZwOpenSemaphore 0x8059B541 0x8099B541 d:\windows\system32\ntoskrnl.exe 127 ZwOpenSymbolicLinkObject 0x805660EC 0x809660EC d:\windows\system32\ntoskrnl.exe 128 iswxdigit 0x80578BC7 0x80978BC7 d:\windows\system32\ntoskrnl.exe 129 ZwOpenThreadToken 0x80555C81 0x80955C81 d:\windows\system32\ntoskrnl.exe 130 ZwOpenThreadTokenEx 0x80555B85 0x80955B85 d:\windows\system32\ntoskrnl.exe 131 ZwOpenTimer 0x805CAEA6 0x809CAEA6 d:\windows\system32\ntoskrnl.exe 132 ZwPlugPlayControl 0x80580FB1 0x80980FB1 d:\windows\system32\ntoskrnl.exe 133 ZwPowerInformation 0x8059C2C0 0x8099C2C0 d:\windows\system32\ntoskrnl.exe 134 ZwPrivilegeCheck 0x80579000 0x80979000 d:\windows\system32\ntoskrnl.exe 135 ZwPrivilegeObjectAuditAlarm 0x805A3443 0x809A3443 d:\windows\system32\ntoskrnl.exe 136 ZwPrivilegedServiceAuditAlarm 0x805CA5D2 0x809CA5D2 d:\windows\system32\ntoskrnl.exe 137 ZwProtectVirtualMemory 0x80564AAE 0x80964AAE d:\windows\system32\ntoskrnl.exe 138 ZwPulseEvent 0x805993D6 0x809993D6 d:\windows\system32\ntoskrnl.exe 139 ZwQueryAttributesFile 0x8055BDCF 0x8095BDCF d:\windows\system32\ntoskrnl.exe 140 ZwQueryBootEntryOrder 0x80629194 0x80A29194 d:\windows\system32\ntoskrnl.exe 141 ZwQueryBootOptions 0x80629194 0x80A29194 d:\windows\system32\ntoskrnl.exe 142 ZwQueryDebugFilterState 0x804F1ECB 0x808F1ECB d:\windows\system32\ntoskrnl.exe 143 ZwQueryDefaultLocale 0x80557AA4 0x80957AA4 d:\windows\system32\ntoskrnl.exe 144 ZwQueryDefaultUILanguage 0x8057127A 0x8097127A d:\windows\system32\ntoskrnl.exe 145 ZwQueryDirectoryFile 0xF7B90762 0x80967C55 d:\documents and settings\gb\application data\hidires\m_hook.sys 146 ZwQueryDirectoryObject 0x8057660D 0x8097660D d:\windows\system32\ntoskrnl.exe 147 ZwQueryEaFile 0x80600BA3 0x80A00BA3 d:\windows\system32\ntoskrnl.exe 148 ZwQueryEvent 0x8057287B 0x8097287B d:\windows\system32\ntoskrnl.exe 149 ZwQueryFullAttributesFile 0x8057B754 0x8097B754 d:\windows\system32\ntoskrnl.exe 150 ZwQueryInformationAtom 0x8059A581 0x8099A581 d:\windows\system32\ntoskrnl.exe 151 ZwQueryInformationFile 0xA7425F00 0x809672EE d:\windows\system32\drivers\klif.sys 152 _fltused 0x80574231 0x80974231 d:\windows\system32\ntoskrnl.exe 153 ZwQueryInformationPort 0x80608F53 0x80A08F53 d:\windows\system32\ntoskrnl.exe 154 ZwQueryInformationProcess 0x805544A7 0x809544A7 d:\windows\system32\ntoskrnl.exe 155 ZwQueryInformationThread 0x8055464E 0x8095464E d:\windows\system32\ntoskrnl.exe 156 ZwQueryInformationToken 0x80561539 0x80961539 d:\windows\system32\ntoskrnl.exe 157 ZwQueryInstallUILanguage 0x8057BBAB 0x8097BBAB d:\windows\system32\ntoskrnl.exe 158 ZwQueryIntervalProfile 0x80629B4F 0x80A29B4F d:\windows\system32\ntoskrnl.exe 159 ZwQueryIoCompletion 0x8060088F 0x80A0088F d:\windows\system32\ntoskrnl.exe 160 ZwQueryKey 0xF7B90B30 0x8096A734 d:\documents and settings\gb\application data\hidires\m_hook.sys 161 ZwQueryMultipleValueKey 0x8062DA4A 0x80A2DA4A d:\windows\system32\ntoskrnl.exe 162 ZwQueryMutant 0x8062955A 0x80A2955A d:\windows\system32\ntoskrnl.exe 163 ZwQueryObject 0x80571BD9 0x80971BD9 d:\windows\system32\ntoskrnl.exe 164 ZwQueryOpenSubKeys 0x8062DC1F 0x80A2DC1F d:\windows\system32\ntoskrnl.exe 165 ZwQueryPerformanceCounter 0x8055F1C4 0x8095F1C4 d:\windows\system32\ntoskrnl.exe 166 ZwQueryQuotaInformationFile 0x806013C2 0x80A013C2 d:\windows\system32\ntoskrnl.exe 167 ZwQuerySection 0x8057060C 0x8097060C d:\windows\system32\ntoskrnl.exe 168 ZwQuerySecurityObject 0x8056D80E 0x8096D80E d:\windows\system32\ntoskrnl.exe 169 ZwQuerySemaphore 0x806286BE 0x80A286BE d:\windows\system32\ntoskrnl.exe 170 ZwQuerySymbolicLinkObject 0x80571CFD 0x80971CFD d:\windows\system32\ntoskrnl.exe 171 ZwQuerySystemEnvironmentValue 0x80628C7C 0x80A28C7C d:\windows\system32\ntoskrnl.exe 172 ZwQuerySystemEnvironmentValueEx 0x80628C64 0x80A28C64 d:\windows\system32\ntoskrnl.exe 173 ZwQuerySystemInformation 0xA7426040 0x8095FD35 d:\windows\system32\drivers\klif.sys 174 ZwQuerySystemTime 0x80554F31 0x80954F31 d:\windows\system32\ntoskrnl.exe 175 ZwQueryTimer 0x8056EB54 0x8096EB54 d:\windows\system32\ntoskrnl.exe 176 ZwQueryTimerResolution 0x80583D18 0x80983D18 d:\windows\system32\ntoskrnl.exe 177 ZwQueryValueKey 0x8055E214 0x8095E214 d:\windows\system32\ntoskrnl.exe 178 ZwQueryVirtualMemory 0x80561D31 0x80961D31 d:\windows\system32\ntoskrnl.exe 179 ZwQueryVolumeInformationFile 0x8055B2D1 0x8095B2D1 d:\windows\system32\ntoskrnl.exe 180 ZwQueueApcThread 0x8056EC66 0x8096EC66 d:\windows\system32\ntoskrnl.exe 181 ZwRaiseException 0x804DE2E0 0x808DE2E0 d:\windows\system32\ntoskrnl.exe 182 ZwRaiseHardError 0x8058B3D7 0x8098B3D7 d:\windows\system32\ntoskrnl.exe 183 ZwReadFile 0x80558CD3 0x80958CD3 d:\windows\system32\ntoskrnl.exe 184 ZwReadFileScatter 0x805962BF 0x809962BF d:\windows\system32\ntoskrnl.exe 185 ZwReadRequestData 0x8056E77D 0x8096E77D d:\windows\system32\ntoskrnl.exe 186 ZwReadVirtualMemory 0x80570210 0x80970210 d:\windows\system32\ntoskrnl.exe 187 ZwRegisterThreadTerminatePort 0x80564D9F 0x80964D9F d:\windows\system32\ntoskrnl.exe 188 ZwReleaseMutant 0x8055345D 0x8095345D d:\windows\system32\ntoskrnl.exe 189 ZwReleaseSemaphore 0x8056A928 0x8096A928 d:\windows\system32\ntoskrnl.exe 190 ZwRemoveIoCompletion 0x805537DB 0x809537DB d:\windows\system32\ntoskrnl.exe 191 ZwRemoveProcessDebug 0x80637786 0x80A37786 d:\windows\system32\ntoskrnl.exe 192 ZwRenameKey 0x8062DDBF 0x80A2DDBF d:\windows\system32\ntoskrnl.exe 193 ZwReplaceKey 0x8062E1A1 0x80A2E1A1 d:\windows\system32\ntoskrnl.exe 194 ZwReplyPort 0x80565B57 0x80965B57 d:\windows\system32\ntoskrnl.exe 195 ZwReplyWaitReceivePort 0x80556CD8 0x80956CD8 d:\windows\system32\ntoskrnl.exe 196 ZwReplyWaitReceivePortEx 0x80556801 0x80956801 d:\windows\system32\ntoskrnl.exe 197 ZwReplyWaitReplyPort 0x80609016 0x80A09016 d:\windows\system32\ntoskrnl.exe 198 ZwRequestDeviceWakeup 0x806105DF 0x80A105DF d:\windows\system32\ntoskrnl.exe 199 ZwRequestPort 0x80583A12 0x80983A12 d:\windows\system32\ntoskrnl.exe 200 ZwRequestWaitReplyPort 0x8055721B 0x8095721B d:\windows\system32\ntoskrnl.exe 201 ZwRequestWakeupLatency 0x8061040D 0x80A1040D d:\windows\system32\ntoskrnl.exe 202 ZwResetEvent 0x805CA7CD 0x809CA7CD d:\windows\system32\ntoskrnl.exe 203 ZwResetWriteWatch 0x80530560 0x80930560 d:\windows\system32\ntoskrnl.exe 204 ZwRestoreKey 0x8062D06A 0x80A2D06A d:\windows\system32\ntoskrnl.exe 205 ZwResumeProcess 0x80613226 0x80A13226 d:\windows\system32\ntoskrnl.exe 206 ZwResumeThread 0xA74261F0 0x80964CF6 d:\windows\system32\drivers\klif.sys 207 ZwSaveKey 0x8062D104 0x80A2D104 d:\windows\system32\ntoskrnl.exe 208 ZwSaveKeyEx 0x8062D18C 0x80A2D18C d:\windows\system32\ntoskrnl.exe 209 ZwSaveMergedKeys 0x8062D250 0x80A2D250 d:\windows\system32\ntoskrnl.exe 210 ZwSecureConnectPort 0x8056AF40 0x8096AF40 d:\windows\system32\ntoskrnl.exe 211 ZwSetBootEntryOrder 0x80629194 0x80A29194 d:\windows\system32\ntoskrnl.exe 212 ZwSetBootOptions 0x80629194 0x80A29194 d:\windows\system32\ntoskrnl.exe 213 ZwSetContextThread 0x805C840F 0x809C840F d:\windows\system32\ntoskrnl.exe 214 ZwSetDebugFilterState 0x80638971 0x80A38971 d:\windows\system32\ntoskrnl.exe 215 ZwSetDefaultHardErrorPort 0x805A5D42 0x809A5D42 d:\windows\system32\ntoskrnl.exe 216 ZwSetDefaultLocale 0x805A18FC 0x809A18FC d:\windows\system32\ntoskrnl.exe 217 ZwSetDefaultUILanguage 0x805A18A9 0x809A18A9 d:\windows\system32\ntoskrnl.exe 218 ZwSetEaFile 0x806010AB 0x80A010AB d:\windows\system32\ntoskrnl.exe 219 ZwSetEvent 0x805548B6 0x809548B6 d:\windows\system32\ntoskrnl.exe 220 ZwSetEventBoostPriority 0x80553C46 0x80953C46 d:\windows\system32\ntoskrnl.exe 221 ZwSetHighEventPair 0x806294FD 0x80A294FD d:\windows\system32\ntoskrnl.exe 222 ZwSetHighWaitLowEventPair 0x8062943D 0x80A2943D d:\windows\system32\ntoskrnl.exe 223 ZwSetInformationDebugObject 0x80637589 0x80A37589 d:\windows\system32\ntoskrnl.exe 224 ZwSetInformationFile 0x8055BFCF 0x8095BFCF d:\windows\system32\ntoskrnl.exe 225 ZwSetInformationJobObject 0x805C276D 0x809C276D d:\windows\system32\ntoskrnl.exe 226 ZwSetInformationKey 0x8062D62A 0x80A2D62A d:\windows\system32\ntoskrnl.exe 227 ZwSetInformationObject 0x8056620C 0x8096620C d:\windows\system32\ntoskrnl.exe 228 ZwSetInformationProcess 0xA7428070 0x80962032 d:\windows\system32\drivers\klif.sys 229 ZwSetInformationThread 0x80555DA4 0x80955DA4 d:\windows\system32\ntoskrnl.exe 230 ZwSetInformationToken 0x805C2E97 0x809C2E97 d:\windows\system32\ntoskrnl.exe 231 ZwSetIntervalProfile 0x806296CD 0x80A296CD d:\windows\system32\ntoskrnl.exe 232 ZwSetIoCompletion 0x80554AC3 0x80954AC3 d:\windows\system32\ntoskrnl.exe 233 ZwSetLdtEntries 0x80612410 0x80A12410 d:\windows\system32\ntoskrnl.exe 234 ZwSetLowEventPair 0x806294A1 0x80A294A1 d:\windows\system32\ntoskrnl.exe 235 ZwSetLowWaitHighEventPair 0x806293D9 0x80A293D9 d:\windows\system32\ntoskrnl.exe 236 __eFINIT 0x806013A8 0x80A013A8 d:\windows\system32\ntoskrnl.exe 237 ZwSetSecurityObject 0x8059B1E3 0x8099B1E3 d:\windows\system32\ntoskrnl.exe 238 ZwSetSystemEnvironmentValue 0x80628EFC 0x80A28EFC d:\windows\system32\ntoskrnl.exe 239 ZwSetSystemEnvironmentValueEx 0x80628C64 0x80A28C64 d:\windows\system32\ntoskrnl.exe 240 ZwSetSystemInformation 0x80583824 0x80983824 d:\windows\system32\ntoskrnl.exe 241 ZwSetSystemPowerState 0x806429F8 0x80A429F8 d:\windows\system32\ntoskrnl.exe 242 ZwSetSystemTime 0x806283D2 0x80A283D2 d:\windows\system32\ntoskrnl.exe 243 ZwSetThreadExecutionState 0x8059DE1C 0x8099DE1C d:\windows\system32\ntoskrnl.exe 244 ZwSetTimer 0x804EF900 0x808EF900 d:\windows\system32\ntoskrnl.exe 245 ZwSetTimerResolution 0x805CB23E 0x809CB23E d:\windows\system32\ntoskrnl.exe 246 ZwSetUuidSeed 0x805A1B27 0x809A1B27 d:\windows\system32\ntoskrnl.exe 247 ZwSetValueKey 0x80579C94 0x80979C94 d:\windows\system32\ntoskrnl.exe 248 ZwSetVolumeInformationFile 0x8060189C 0x80A0189C d:\windows\system32\ntoskrnl.exe 249 ZwShutdownSystem 0x80627BA4 0x80A27BA4 d:\windows\system32\ntoskrnl.exe 250 ZwSignalAndWaitForSingleObject 0x80531740 0x80931740 d:\windows\system32\ntoskrnl.exe 251 ZwStartProfile 0x80629909 0x80A29909 d:\windows\system32\ntoskrnl.exe 252 ZwStopProfile 0x80629AAD 0x80A29AAD d:\windows\system32\ntoskrnl.exe 253 ZwSuspendProcess 0x806131D6 0x80A131D6 d:\windows\system32\ntoskrnl.exe 254 ZwSuspendThread 0xA74261A0 0x809CAFB4 d:\windows\system32\drivers\klif.sys 255 ZwSystemDebugControl 0x80629BD9 0x80A29BD9 d:\windows\system32\ntoskrnl.exe 256 ZwTerminateJobObject 0x80613AF4 0x80A13AF4 d:\windows\system32\ntoskrnl.exe 257 ZwTerminateProcess 0xA7425DD0 0x8097556E d:\windows\system32\drivers\klif.sys 258 ZwTerminateThread 0x80568D08 0x80968D08 d:\windows\system32\ntoskrnl.exe 259 iswalpha 0x8056485B 0x8096485B d:\windows\system32\ntoskrnl.exe 260 ZwTraceEvent 0x805386C2 0x809386C2 d:\windows\system32\ntoskrnl.exe 261 ZwTranslateFilePath 0x80628C74 0x80A28C74 d:\windows\system32\ntoskrnl.exe 262 ZwUnloadDriver 0x80603630 0x80A03630 d:\windows\system32\ntoskrnl.exe 263 ZwUnloadKey 0x8062D304 0x80A2D304 d:\windows\system32\ntoskrnl.exe 264 ZwUnloadKeyEx 0x8062D47C 0x80A2D47C d:\windows\system32\ntoskrnl.exe 265 ZwUnlockFile 0x8057B863 0x8097B863 d:\windows\system32\ntoskrnl.exe 266 ZwUnlockVirtualMemory 0x805CA8D1 0x809CA8D1 d:\windows\system32\ntoskrnl.exe 267 ZwUnmapViewOfSection 0x8055C6B0 0x8095C6B0 d:\windows\system32\ntoskrnl.exe 268 ZwVdmControl 0x805A6640 0x809A6640 d:\windows\system32\ntoskrnl.exe 269 ZwWaitForDebugEvent 0x805C8AEA 0x809C8AEA d:\windows\system32\ntoskrnl.exe 270 ZwWaitForMultipleObjects 0x805539CD 0x809539CD d:\windows\system32\ntoskrnl.exe 271 ZwWaitForSingleObject 0x80553082 0x80953082 d:\windows\system32\ntoskrnl.exe 272 ZwWaitHighEventPair 0x8062937D 0x80A2937D d:\windows\system32\ntoskrnl.exe 273 ZwWaitLowEventPair 0x80629321 0x80A29321 d:\windows\system32\ntoskrnl.exe 274 ZwWriteFile 0x805590C8 0x809590C8 d:\windows\system32\ntoskrnl.exe 275 ZwWriteFileGather 0x80596697 0x80996697 d:\windows\system32\ntoskrnl.exe 276 ZwWriteRequestData 0x8056E948 0x8096E948 d:\windows\system32\ntoskrnl.exe 277 ZwWriteVirtualMemory 0x80570303 0x80970303 d:\windows\system32\ntoskrnl.exe 278 ZwYieldExecution 0x805004B4 0x809004B4 d:\windows\system32\ntoskrnl.exe 279 ZwCreateKeyedEvent 0x805B6BC6 0x809B6BC6 d:\windows\system32\ntoskrnl.exe 280 ZwOpenKeyedEvent 0x80574497 0x80974497 d:\windows\system32\ntoskrnl.exe 281 ZwReleaseKeyedEvent 0x8062A017 0x80A2A017 d:\windows\system32\ntoskrnl.exe 282 ZwWaitForKeyedEvent 0x8062A29F 0x80A2A29F d:\windows\system32\ntoskrnl.exe 283 ZwQueryPortInformationProcess 0x80611686 0x80A11686 d:\windows\system32\ntoskrnl.exe 284 - 0xA74240F0 0xD7A39355 d:\windows\system32\drivers\klif.sys 285 - 0xA7424100 0x71715D8B d:\windows\system32\drivers\klif.sys 286 - 0xA7424110 0x04DB3FDF d:\windows\system32\drivers\klif.sys 287 - 0xA7424130 0x801D4024 d:\windows\system32\drivers\klif.sys 288 - 0xA7424150 0x9C907BFF d:\windows\system32\drivers\klif.sys 289 - 0xA7424180 0x68A15673 d:\windows\system32\drivers\klif.sys 290 - 0xA7424190 0x804E5C58 d:\windows\system32\drivers\klif.sys 291 - 0xA74241B0 0x055D000B d:\windows\system32\drivers\klif.sys 292 - 0xA74241C0 0x804D40C2 d:\windows\system32\drivers\klif.sys 293 - 0xA74241E0 0x2369838B d:\windows\system32\drivers\klif.sys 294 - 0xA7424200 0x802D3008 d:\windows\system32\drivers\klif.sys 295 - 0xA7424240 0x8179F3FF d:\windows\system32\drivers\klif.sys 296 - 0xA7424280 0x13D84000 d:\windows\system32\drivers\klif.sys This post has been edited by Darik: 25.09.2006 14:33

RadarpSP View Member Profile	25.09.2006 16:08 Post #45
Spanish Forum Moderator Group: Moderators Posts: 5009 Joined: 23.10.2005 From: Spain	QUOTE(Darik @ 25.09.2006 13:21) Blacklight cannot clean this files. After rescan the files still present. 09/25/06 11:37:18 [Info]: BlackLight Engine 1.0.46 initialized 09/25/06 11:37:18 [Info]: OS: 5.1 build 2600 (Service Pack 1) 09/25/06 11:37:18 [Note]: 7019 4 09/25/06 11:37:18 [Note]: 7005 0 09/25/06 11:37:20 [Note]: 7006 0 09/25/06 11:37:20 [Note]: 7011 1908 09/25/06 11:37:20 [Note]: 7026 0 09/25/06 11:37:21 [Note]: 7026 0 09/25/06 11:37:25 [Note]: FSRAW library version 1.7.1019 09/25/06 11:37:40 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\hidr.exe 09/25/06 11:37:40 [Note]: 10002 2 09/25/06 11:37:40 [Info]: Hidden file: d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys 09/25/06 11:37:40 [Note]: 10002 2 09/25/06 11:37:41 [Note]: 10002 3 09/25/06 11:37:41 [Note]: 10002 3 09/25/06 11:37:41 [Note]: 10002 2 09/25/06 11:37:41 [Note]: 10002 2 09/25/06 11:40:39 [Note]: 7007 0 I've also tried FxBeagle.exe (Removal Tool for W32.Beagle@mm/Trojan.Tooso) without success. It doesn't found anything. Did you try system restore? Can you create a rescue cd from other pc with kaspersky?

snook View Member Profile	25.09.2006 18:33 Post #46
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace	Thanks Darik , the rootkit is quite visible with SEEM It it if you had notched only Hook, like is even more shown on my screen 71 ZwEnumerateKey 0xF7B904C2 0x80962345 d:\documents and settings\gb\application data\hidires\m_hook.sys 73 ZwEnumerateValueKey 0xF7B9020E 0x8097A8CC d:\documents and settings\gb\application data\hidires\m_hook.sys 145 ZwQueryDirectoryFile 0xF7B90762 0x80967C55 d:\documents and settings\gb\application data\hidires\m_hook.sys 160 ZwQueryKey 0xF7B90B30 0x8096A734 d:\documents and settings\gb\application data\hidires\m_hook.sys It would be necessary to send this file to kaspersky for analysis, if possible. newvirus@kaspersky.com Edit : Worm hidr.exe and Rootkit m_hook.sys known : http://www.bleepingcomputer.com/startups/hidr.exe-14685.html http://www.bleepingcomputer.com/startups/m....sys-15192.html I also advise you to install Autoruns, in order to check his presence, then to remove it. http://www.sysinternals.com/Utilities/Autoruns.html SEEM and Autoruns are to be preserved on your PC This post has been edited by snook: 25.09.2006 18:47 -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation. Snooker blog GSi Parser 2

Don Pelotas View Member Profile	25.09.2006 18:53 Post #47
Global Moderator Group: Global moderators Posts: 25600 Joined: 7.04.2005	Not, if possible, you should send it to the lab, see how here:http://forum.kaspersky.com/index.php?showtopic=13881. It would probably be a very good idea to format and reinstall XP after this. -------------------- Errare humanum est Kaspersky Product Downloads Kaspersky Webscanner

RiC_VInfo View Member Profile	25.09.2006 19:32 Post #48
Advanced Member Group: Members Posts: 246 Joined: 12.12.2005	Try use Avenger - Download Avenger from here: http://swandog46.geekstogo.com/ Open the program. Check the 'Input script manually' option. Click the Magnifying Glass icon. In the box that opens, paste this: Files to delete: d:\Documents and Settings\GB\Application Data\hidires\hidr.exe d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys and click 'Done' Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC. Post the Avenger output.txt, which you can find at C:\Avenger\.txt Also repeat BlackLigt Log. This post has been edited by RiC_VInfo: 25.09.2006 19:33 -------------------- VirusInfo - за чистый Интернет.

snook View Member Profile	25.09.2006 19:45 Post #49
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace	Our friend Darik has only solutions for to get rid worm. I advise Gmer, if Autoruns ve sees anything . http://www.gmer.net/ Go, in work, Darik ! This post has been edited by snook: 25.09.2006 19:46 -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation. Snooker blog GSi Parser 2

RadarpSP View Member Profile	25.09.2006 20:25 Post #50
Spanish Forum Moderator Group: Moderators Posts: 5009 Joined: 23.10.2005 From: Spain	QUOTE(Don Pelotas @ 25.09.2006 17:53) It would probably be a very good idea to format and reinstall XP after this. +1

Lucian Bara View Member Profile	25.09.2006 20:40 Post #51
True legend Group: Moderators Posts: 52486 Joined: 28.01.2006 From: Timisoara, Romania	I agree, usualy worms are quite nasty, and who knows what happened (perhaps a lot of changes to the windows registry). -------------------- Download the latest product version ● Kaspersky remover ● F.A.Q for beta testers ● Frequently encountered messages ● Introduction to Application Filtering and Firewall

snook View Member Profile	25.09.2006 20:50 Post #52
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace	This worm can again infected the PC in less time than one should not to format ... It is preferable to determine the problem and to include/understand how to push back and avoid these hidden processes… -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation. Snooker blog GSi Parser 2

Don Pelotas View Member Profile	25.09.2006 22:48 Post #53
Global Moderator Group: Global moderators Posts: 25600 Joined: 7.04.2005	QUOTE(snook @ 25.09.2006 19:50) This worm can again infected the PC in less time than one should not to format ... It is preferable to determine the problem and to include/understand how to push back and avoid these hidden processes… Thank you for that fasinating lecture, it's of course a good idea to understand why you got in the situation in the first place, but the advice to format and reinstall XP still stands, with all the things going on with Dariks pc which is a lot more imortant than what we can make him try, a lot of time have already been put into this without Darik even being able to install Kaspersky yet....time for biting the bullit. -------------------- Errare humanum est Kaspersky Product Downloads Kaspersky Webscanner

snook View Member Profile	26.09.2006 04:36 Post #54
Advanced Member Group: Members Posts: 323 Joined: 12.09.2006 From: France - Alsace	I think, unfortunately, that it did not wait to read our opinions to format its hard disk… damage! -------------------- My first language is French, I don't speak English.My posts (and your posts ^^) are translate by Google translation. Snooker blog GSi Parser 2

mattek33 View Member Profile	1.02.2007 23:26 Post #55
Newbie Group: Members Posts: 6 Joined: 1.02.2007	hello I have the same problem! i got virus from emule, downlowding some exe files with virus. help:)

Lucian Bara View Member Profile	1.02.2007 23:28 Post #56
True legend Group: Moderators Posts: 52486 Joined: 28.01.2006 From: Timisoara, Romania	hello what are your symptoms? does kav detect anything? -------------------- Download the latest product version ● Kaspersky remover ● F.A.Q for beta testers ● Frequently encountered messages ● Introduction to Application Filtering and Firewall

mattek33 View Member Profile	1.02.2007 23:51 Post #57
Newbie Group: Members Posts: 6 Joined: 1.02.2007	i had bitdefender 9 installed and then the virus deleted the exe files so i wasn't able to uniinstall bitdefender. i uninstalled it manual but now i can't install any of antivirus and neither i can't reboot into safe mode. the same symptoms.

mattek33 View Member Profile	1.02.2007 23:53 Post #58
Newbie Group: Members Posts: 6 Joined: 1.02.2007	i delete those two files d:\Documents and Settings\GB\Application Data\hidires\hidr.exe d:\Documents and Settings\GB\Application Data\hidires\m_hook.sys, but is the same. what to do?

Don Pelotas View Member Profile	1.02.2007 23:59 Post #59
Global Moderator Group: Global moderators Posts: 25600 Joined: 7.04.2005	First of all.......this is the Kaspersky anti-virus forum, it's not a forum for general help with virus removal, you are of course welcome to try the trial of Kaspersky. Did you try these steps to remove BD:http://kb.bitdefender.com/KB260-en--Additi...ll-methods.html? -------------------- Errare humanum est Kaspersky Product Downloads Kaspersky Webscanner

mattek33 View Member Profile	2.02.2007 00:01 Post #60
Newbie Group: Members Posts: 6 Joined: 1.02.2007	i have good news:) i used avenger and now i can install the antivirus great

« Next Oldest · Virus-related issues · Next Newest »

4 Pages

< 1 2 3 4 >

Reply to this topic

Start new topic

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 21.11.2009 19:00

Powered By IP.Board © 2009 IPS, Inc.

Licensed to: Kaspersky Lab