Amazingly-coded rootkit?!

KProcCheck in normal startup.

 

Process Explorer in safe mode.

 

Process Explorer in Normal Startup

 

Paranoid - Did you run KProcCheck with the "-g" switch? (See the bottom of my last post). It shows "hooked" things. Was there anything there?

From all the screenshots I'm seeing, either they're all not showing what's causing the problem - or whatever you've got has a standard exe-type name (doubtless by design). Pete

 

Holy Crap! I think I just found the first clue(s?)! I'll highlight it for you. Either that or I'm just going crazy at the slightest sign of anything. It's under option -d, if you wanna skip the rest. I've also come to the conclusion every one of these things needs a log feature

 

Kind of puzzling that those two entries show up there without having shown anywhere in, say, RootkitRevealer.

More puzzling is - what in the heck do they mean and how do you track down whatever that is? (WAY outside my ballpark here). Pete

*Didn't you say you were also posting a HJT log? Am I going blind here?

**Where exactly did you pick up this nasty from, anyway - do you know? I want to try a little of it on for size.

 

Heya Pete, my HJT log is a .rar disguised as a .log (it'd be nice to separate those logs anyway) on the reply before all the screenies. It's an attachment called 'Findings.log'.

The odd thing is, I don't actually recall I was doing anything active at the time. I was up at around 5am playing a PC game, fullscreen, no other apps running, save my usual AV and firewall, http proxy, yada yada. Then my game starts lagging to hell. Considering it was a Win95 game and I was running a tweaked 2.8c gHz, I got kinda suspicious. I'm almost sure someone stuck on to me just to prove he could

Now just to do some reading about KProcCheck....

 

if you put >whatever.txt at the end of the cmd it will save a log in the directory you run it from.
i.e.
kproccheck -d >kproccheck.txt

 

I've got good news and bad news.

The good news is: I won't have to worry about the kernel-level rootkit anymore (assuming what I read about this thing is correct).

The bad news is: My computer has totally locked up. This occurred when switching back to safe mode after running more diagnostics with the trojan running. The computer boots into Windows fine, but then stops with this message and a memory dump:

CONFIG_LIST_FAILED
***STOP: 0x00000073 (0x00000001, 0x500017D, 0x00000002, 0xF83F6BB

Rebooting via a bootdisk doesn't help: the C: is invisible to the bios. FDisk notices the partitions but gives no volume listing. I will probably go for a total wipe in the shop later.

I'm sorry, I think the bad guys won this time around.

Edit: A quick search for the error, however, reveals that the reason my system failed to boot is because there is no more hard disk space on the drive. I guess letting those .tmps accumulate was a bad idea.... now to change this thread to a BIOS one....