Amazingly-coded rootkit?!

Hi all. I've recently contracted what I found out to be W32.Mazocker.A(taken from CA's definition), a trojan that is stealthed. If you read their description, it would indicate that this trojan spits out some tmp*.tmp files. These files, on average, are the size of about .5 gigs each, and are churned out as fast as possible when I boot up my computer. It disables my Sygate firewall as well as Norton AV on bootup. As mentioned, the trojan is stealthed, and all my attempts to find it so far have come to nought (including looking into the registry at indicated areas). The only indication something was even wrong was the fact that the hard disk was spinning furiously as Norton picked up the files (PWSteal.Trojan, but the analysis seems to be a little off). The Task Manager read 4% ram usage, and the 'busy' lights were -not- blinking.

Amazing, no?

Software I've tried: Ad-aware, AntiVir, AVG, RootkitRevealer, TDS-3, HijackThis, a2(a-squared), Bitdefender, and Norton of course. None seem to pick up anything is even remotely amiss. Any ideas? I'm pretty close to reformatting my drive.

 

Not even a peep from a famous website?

 

Honestly, if I thought I had a rootkit on my system, I would format immediatly (making sure to have all security in place before connecting to the internet.) You would want to make sure there are NO traces left.

First, however, you can try updating TDS-3, going into 'scan options' and putting a check in all options except "Show all NTFS/ADS Streams", then scan in safe mode. If you're still intent on finding it, or do find it and want/need help, try posting a link to this thread in the TDS-3 forum.

 

I would suggest slaving the infected drive off a clean protected system and run a scan with TDS3 and a up-to-date Anti-virus program.

Hope this helps.

Let us know how you go...

Cheers

 

i'd format too.

you can try, when you boot up and connect to the internet, before you do anything else open a dos prompt - start>run>cmd>OK then type in netstat -ano and have alook at what is listening and what is established and noting that down along with the port numbers and the PIDs and posting back what you see

 

Thanks for the prompt reply. I'm running in safe mode now, scanning with the options mentioned earlier. So far the only thing turning up is dual extensions, which are of my own devising. Will try the slaving off bit once I get some time to muck around with the computer. Netstat indicates the TCP ports 135 and 445 are open and listening, as well as their UDP counterparts, among others (1026, 1040, 1142, 1142, 1170, 1133, 1137, 9 on the UDP). Not sure how the trojan did that, but grc.com tells me I'm still covered up so thats good. I configured my router to block all traffic passing through those ports anyway so it shouldn't be a problem. I'll create the link to this thread in the TDS forums once the TDS scan finishes.

Thanks again.

 

did you note down the PIDs too? if so you can have alook at what it is that is using the ports

 

Does anything show using ProcessExplorer? Set up the base view to display command line and image path (View>Select Columns; check Image Path and Command Line). Double click on a process and hit the TCP/IP tab to assess port usage.

Blue

 

Oh. From what I saw, everything belonged to either the System process (PID 4, opened the 445 port) or svchost.exe (TCP port 135 as well as everything else.) And no, I'm not running ProcessExplorer. I apparently don't have the options for Image Path/Commandline.

 

My bad, I misread that. No, I don't have ProcessExplorer. I might physically disconnect my computer and try running it while the temp files get churned out. Usually takes a while though Like 20 seconds to process a mouse click. I'll tell you what I find.

 

In and of itself, this is normal behavior. If you have 20 seconds between mouse clicks, try to identify where the PCU cycles are being spent. The default process tree view is probably best for now.

Blue

 

Hi,

Just click on the link to download UnHackme.
It's very simple to use and you'll know if you're infected or not by usuals rootkits:

http://www.greatis.com/unhackme.zip


Nb: Image : AV test with AFXRootkit2005:

 

This link may be helpful:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41658

Pilli

 

Check out F-secure's new Blacklight technology, they do have a timelimited beta availabe for download at their site www.f-secure.com

 

If all else fails. You may want to download "kaspersky personal pro" Here's the link. http://www.kaspersky.com/trials?chapter=154373188 It maybe more trouble than it's worth though. You would have to uninstall norton antivirus first.

If nothing else works. You may just have to reformat. Kaspersky personal pro is supposed to be one of the best at catching trojans. It's trial version is good for, I believe 30 days. Hopefully, Tds3 should catch this. Maybe you can get it configured correctly. If it's not already. Good luck.

I wouldn't want no stealth trojan on my computer.

 

That's what I'm thinking. I hope it doesn't just detect the .tmp files though.

Oh, here's the thread I made in the TDS forums as well, just in case you wanna look there or something.

https://www.wilderssecurity.com/showthread.php?t=71095

 

You might like another look with ProcX.
https://www.wilderssecurity.com/showthread.php?t=71138

 

Did I miss the part in this thread or the TDS thread where the TDS scan finished and you shared your results

 

Nah, Bubba, you missed nothing. I don't think TDS has a scan log function, but nothing has turned up (other than dual extensions which I made with full knowledge), if you were wondering I'm downloading Kaspersky now. ProcX looks very good. I like it. I ran it with the Trojan active. Still looks like it's successfully hiding, though, since RAM usage is still minimal even though the hard drive is spinning like a top.

 

In TDS: after the scanning, in the alerts window at the bottom rightclick on one of the alerts and choose "save to text.
This Scandump.txt you can past in your next posting.
But be so kind as to scan with all options checked and worm slider on highr\est sensitivity, all other scanners downed, etc etc and unnecessary programs closed temporary to speed up the scanning and you don't have to wait that long for results.

Now we're even more interested to have you sending your sample in (address in my sig below) since you know to activate it.

 

Just make sure that you have it set not to hide 'protected operating system files', you can check this by going into any explorer window (ie "My Computer"), clicking Tools > Folder Options, switching to the "View" tab, and make sure there is not a check in "Hide protected operating system files (recommended)"

 

http://www.security.org.sg/code/kproccheck.html

Have you tried running this one yet? (Sample output from my computer below, using all switches):

"C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck.exe -p
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Process list by traversal of ActiveProcessLinks

4 - System
112 - explorer.exe
252 - RioMSC.exe
260 - wmiprvse.exe --[Zombie]--
340 - locator.exe
420 - SnoopFreeSvc.ex
456 - smss.exe
512 - svchost.exe
532 - pgaccount.exe
568 - csrss.exe
596 - ups.exe
628 - winlogon.exe
712 - services.exe
732 - lsass.exe
804 - userinit.exe --[Zombie]--
868 - mrublaster.exe --[Zombie]--
920 - svchost.exe
988 - svchost.exe
1052 - svchost.exe
1108 - logonui.exe --[Zombie]--
1220 - svchost.exe
1400 - spyblocker.exe
1404 - spoolsv.exe
1428 - cmd.exe --[Zombie]--
1532 - alg.exe
1540 - mrublaster.exe --[Zombie]--
1632 - wuauclt.exe --[Zombie]--
1704 - mainserv.exe
1712 - opera.exe
1744 - DCSUserProt.exe
1772 - eraserl.exe --[Zombie]--
1784 - ewidoctrl.exe
1796 - ewidoguard.exe
1880 - nod32krn.exe
1892 - nod32kui.exe
1912 - pctspk.exe
1972 - PGPServ.exe
2000 - NWClient.exe
2028 - imapi.exe --[Zombie]--
2084 - mrublaster.exe --[Zombie]--
2092 - gcasServ.exe
2192 - nwiz.exe --[Zombie]--
2200 - mrublaster.exe --[Zombie]--
2228 - gcasDtServ.exe
2236 - mrublaster.exe --[Zombie]--
2256 - rundll32.exe --[Zombie]--
2296 - rkdetector.exe --[Zombie]--
2336 - mrublaster.exe --[Zombie]--
2416 - msimn.exe --[Zombie]--
2540 - regedit.exe --[Zombie]--
2560 - mrublaster.exe --[Zombie]--
2620 - mrublaster.exe --[Zombie]--
2652 - jusched.exe
2696 - srmclean.exe --[Zombie]--
2720 - notepad.exe --[Zombie]--
2728 - SnoopFreeUI.exe
2788 - TeaTimer.exe
2820 - mrublaster.exe --[Zombie]--
2892 - procguard.exe
2904 - iexplore.exe --[Zombie]--
2924 - fsbl.exe --[Zombie]--
2964 - mrublaster.exe --[Zombie]--
2972 - mrublaster.exe --[Zombie]--
3036 - hackmon.exe
3096 - mrublaster.exe --[Zombie]--
3100 - mrublaster.exe --[Zombie]--
3108 - KProcCheck.exe
3124 - cmd.exe
3224 - mrublaster.exe --[Zombie]--
3228 - Display.exe --[Zombie]--
3244 - notepad.exe --[Zombie]--
3360 - PGPtray.exe
3428 - ShadowUser.exe
3472 - MWSnap.exe --[Zombie]--
3528 - scheduler.exe
3688 - MWSnap.exe
3712 - KProcCheck.exe --[Zombie]--
3752 - apcsystray.exe
3756 - mrublaster.exe --[Zombie]--
3768 - RootkitRevealer --[Zombie]--
3772 - notepad.exe --[Zombie]--
3788 - notepad.exe --[Zombie]--
3848 - cookiem.exe
3912 - rkdetector.exe --[Zombie]--
3916 - idblasterplus.e
3988 - sgmain.exe
3996 - mrublaster.exe --[Zombie]--
4072 - sgbhp.exe

Total number of processes = 88

C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck.exe -s
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Process list by traversal of KiWaitListHead

4 - System
112 - explorer.exe
420 - SnoopFreeSvc.ex
532 - pgaccount.exe
568 - csrss.exe
628 - winlogon.exe
712 - services.exe
732 - lsass.exe
920 - svchost.exe
988 - svchost.exe
1052 - svchost.exe
1532 - alg.exe
1704 - mainserv.exe
1712 - opera.exe
1744 - DCSUserProt.exe
1784 - ewidoctrl.exe
1796 - ewidoguard.exe
1880 - nod32krn.exe
1892 - nod32kui.exe
1972 - PGPServ.exe
2000 - NWClient.exe
2092 - gcasServ.exe
2228 - gcasDtServ.exe
2788 - TeaTimer.exe
2892 - procguard.exe
3124 - cmd.exe
3360 - PGPtray.exe
3428 - ShadowUser.exe
3528 - scheduler.exe
3752 - apcsystray.exe
3848 - cookiem.exe
3916 - idblasterplus.e
3988 - sgmain.exe
4072 - sgbhp.exe

Total number of processes = 34
NOTE: Under WinXP, this will not show all processes.

C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck.exe -d
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Driver/Module list by traversal of PsLoadedModuleList

804D7000 - \WINDOWS\system32\ntoskrnl.exe
806EC000 - \WINDOWS\system32\hal.dll
F7B2D000 - \WINDOWS\system32\KDCOM.DLL
F7A3D000 - \WINDOWS\system32\BOOTVID.dll
F7A41000 - SnopFree.sys
F75DE000 - ACPI.sys
F7B2F000 - \WINDOWS\System32\DRIVERS\WMILIB.SYS
F75CD000 - pci.sys
F762D000 - isapnp.sys
F763D000 - ohci1394.sys
F764D000 - \WINDOWS\System32\DRIVERS\1394BUS.SYS
F7A45000 - compbatt.sys
F7A49000 - \WINDOWS\System32\DRIVERS\BATTC.SYS
F7B31000 - viaide.sys
F78AD000 - \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
F765D000 - MountMgr.sys
F75AE000 - ftdisk.sys
F7B33000 - dmload.sys
F7588000 - dmio.sys
F78B5000 - PartMgr.sys
F766D000 - VolSnap.sys
F7570000 - atapi.sys
F767D000 - disk.sys
F768D000 - \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
F7551000 - fltmgr.sys
F7535000 - Shadow.sys
F751E000 - KSecDD.sys
F7491000 - Ntfs.sys
F7464000 - NDIS.sys
F769D000 - vvoice.sys
F7402000 - vpctcom.sys
F736E000 - vmodem.sys
F7353000 - Mup.sys
F76AD000 - amdagp.sys
F76DD000 - \SystemRoot\System32\DRIVERS\processr.sys
F713B000 - \SystemRoot\System32\DRIVERS\nv4_mini.sys
F7127000 - \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
F76ED000 - \SystemRoot\System32\DRIVERS\nic1394.sys
F76FD000 - \SystemRoot\system32\drivers\es1371mp.sys
F7103000 - \SystemRoot\system32\drivers\portcls.sys
F770D000 - \SystemRoot\system32\drivers\drmk.sys
F70E0000 - \SystemRoot\system32\drivers\ks.sys
F78ED000 - \SystemRoot\System32\DRIVERS\SMC1211.SYS
F70C4000 - \SystemRoot\System32\DRIVERS\ptserlp.sys
F78FD000 - \SystemRoot\System32\Drivers\Modem.SYS
F70B0000 - \SystemRoot\System32\DRIVERS\parport.sys
F771D000 - \SystemRoot\System32\DRIVERS\serial.sys
F7AE1000 - \SystemRoot\System32\DRIVERS\serenum.sys
F7915000 - \SystemRoot\System32\DRIVERS\fdc.sys
F772D000 - \SystemRoot\System32\DRIVERS\i8042prt.sys
F791D000 - \SystemRoot\System32\DRIVERS\mouclass.sys
F773D000 - \SystemRoot\System32\Drivers\PGPsdk.sys
F7925000 - \SystemRoot\System32\DRIVERS\kbdclass.sys
F7935000 - \SystemRoot\System32\Drivers\MxlW2k.SYS
F774D000 - \SystemRoot\System32\DRIVERS\cdrom.sys
F775D000 - \SystemRoot\System32\DRIVERS\imapi.sys
F776D000 - \SystemRoot\System32\DRIVERS\redbook.sys
F794D000 - \SystemRoot\System32\DRIVERS\usbuhci.sys
F6FED000 - \SystemRoot\System32\DRIVERS\USBPORT.SYS
F7C9B000 - \SystemRoot\System32\DRIVERS\audstub.sys
F777D000 - \SystemRoot\System32\DRIVERS\rasl2tp.sys
F7AF5000 - \SystemRoot\System32\DRIVERS\ndistapi.sys
F6FD6000 - \SystemRoot\System32\DRIVERS\ndiswan.sys
F778D000 - \SystemRoot\System32\DRIVERS\raspppoe.sys
F779D000 - \SystemRoot\System32\DRIVERS\raspptp.sys
F796D000 - \SystemRoot\System32\DRIVERS\TDI.SYS
F6FC5000 - \SystemRoot\System32\DRIVERS\psched.sys
F77AD000 - \SystemRoot\System32\DRIVERS\msgpc.sys
F797D000 - \SystemRoot\System32\DRIVERS\ptilink.sys
F798D000 - \SystemRoot\System32\DRIVERS\raspti.sys
F6F6C000 - \SystemRoot\System32\DRIVERS\rdpdr.sys
F77BD000 - \SystemRoot\System32\DRIVERS\termdd.sys
F7B3B000 - \SystemRoot\System32\DRIVERS\swenum.sys
F6F38000 - \SystemRoot\System32\DRIVERS\update.sys
F7B19000 - \SystemRoot\System32\DRIVERS\mssmbios.sys
F77CD000 - \SystemRoot\System32\DRIVERS\usbhub.sys
F7B3F000 - \SystemRoot\System32\DRIVERS\USBD.SYS
F77DD000 - \SystemRoot\System32\Drivers\NDProxy.SYS
F7317000 - \SystemRoot\System32\DRIVERS\gameenum.sys
F799D000 - \SystemRoot\System32\DRIVERS\flpydisk.sys
F7B49000 - \SystemRoot\System32\Drivers\Fs_Rec.SYS
F7C20000 - \SystemRoot\System32\Drivers\Null.SYS
F7B4D000 - \SystemRoot\System32\Drivers\Beep.SYS
F79BD000 - \SystemRoot\System32\DRIVERS\HIDPARSE.SYS
F79C5000 - \SystemRoot\System32\drivers\vga.sys
F7B51000 - \SystemRoot\System32\Drivers\mnmdd.SYS
F7B55000 - \SystemRoot\System32\DRIVERS\RDPCDD.sys
F79D5000 - \SystemRoot\System32\Drivers\Msfs.SYS
F79E5000 - \SystemRoot\System32\Drivers\Npfs.SYS
F7ACD000 - \SystemRoot\System32\DRIVERS\rasacd.sys
F5DDD000 - \SystemRoot\System32\DRIVERS\ipsec.sys
F5D85000 - \SystemRoot\System32\DRIVERS\tcpip.sys
F7ADD000 - \SystemRoot\System32\drivers\ws2ifsl.sys
F5D64000 - \SystemRoot\System32\DRIVERS\ipnat.sys
F77FD000 - \SystemRoot\System32\DRIVERS\wanarp.sys
F5D42000 - \SystemRoot\System32\drivers\afd.sys
F780D000 - \SystemRoot\System32\DRIVERS\arp1394.sys
F781D000 - \SystemRoot\System32\DRIVERS\netbios.sys
F5C77000 - \SystemRoot\System32\DRIVERS\rdbss.sys
F5C08000 - \SystemRoot\System32\DRIVERS\mrxsmb.sys
F782D000 - \SystemRoot\System32\Drivers\Fips.SYS
F7C45000 - \??\C:\Program Files\ewido\security suite\guard.sys
F7AFD000 - \SystemRoot\System32\DRIVERS\hidusb.sys
F783D000 - \SystemRoot\System32\DRIVERS\HIDCLASS.SYS
F7C49000 - \SystemRoot\System32\Drivers\BANTExt.sys
F785D000 - \SystemRoot\System32\Drivers\Cdfs.SYS
F7A1D000 - \SystemRoot\System32\DRIVERS\usbccgp.sys
F6FA5000 - \SystemRoot\System32\Drivers\SMCLIB.SYS
F6FA1000 - \SystemRoot\System32\DRIVERS\kbdhid.sys
F5BC8000 - \SystemRoot\System32\Drivers\dump_atapi.sys
F7B5B000 - \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF800000 - \SystemRoot\System32\win32k.sys
F78CD000 - \SystemRoot\System32\watchdog.sys
F6F1C000 - \SystemRoot\System32\drivers\Dxapi.sys
BF9C1000 - \SystemRoot\System32\drivers\dxg.sys
F7CF6000 - \SystemRoot\System32\drivers\dxgthk.sys
BF9D3000 - \SystemRoot\System32\nv4_disp.dll
F4B53000 - \??\C:\WINDOWS\system32\Drivers\truecrypt.sys
F4A3B000 - \SystemRoot\System32\DRIVERS\netbt.sys
F7CEE000 - \??\C:\WINDOWS\System32\socketlock.sys
F4B93000 - \SystemRoot\System32\DRIVERS\ndisuio.sys
F40F6000 - \SystemRoot\System32\DRIVERS\mrxdav.sys
F7BB7000 - \SystemRoot\System32\Drivers\ParVdm.SYS
F40A4000 - \SystemRoot\System32\Drivers\PGPdisk.SYS
F405B000 - \??\C:\WINDOWS\System32\drivers\amon.sys
F3E78000 - \SystemRoot\System32\DRIVERS\srv.sys
F7905000 - \??\C:\WINDOWS\system32\drivers\procguard.sys
F3AF3000 - \SystemRoot\system32\drivers\wdmaud.sys
F4AAB000 - \SystemRoot\system32\drivers\sysaudio.sys
F7CB9000 - \??\C:\WINDOWS\system32\Drivers\RKREVEAL110.SYS
F2F60000 - \SystemRoot\system32\drivers\kmixer.sys
F7D52000 - \SystemRoot\System32\DRIVERS\KProcCheck.sys

Total number of drivers = 132

C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KprocCheck -t
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Checks SDT for Hooked Native APIs

KeServiceDescriptorTable 80559B80
KeServiceDescriptorTable.ServiceTable 804E2D20
KeServiceDescriptorTable.ServiceLimit 284

ZwCreateFile 25 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908C90]
ZwCreateKey 29 \??\C:\WINDOWS\system32\drivers\procguard.sys [F790772C]
ZwCreateProcessEx 30 SnopFree.sys [F7A419E4]
ZwCreateSymbolicLinkObject 34 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908356]
ZwCreateThread 35 \??\C:\WINDOWS\system32\drivers\procguard.sys [F79086C6]
ZwFsControlFile 54 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908DDA]
ZwOpenFile 74 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908AD8]
ZwOpenKey 77 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7907682]
ZwOpenProcess 7A \??\C:\Program Files\ewido\security suite\guard.sys [F7C4568C]
ZwOpenSection 7D \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908190]
ZwProtectVirtualMemory 89 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908104]
ZwReadVirtualMemory BA \??\C:\WINDOWS\system32\drivers\procguard.sys [F79080D0]
ZwRequestWaitReplyPort C8 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7905CE2]
ZwSetContextThread D5 \??\C:\WINDOWS\system32\drivers\procguard.sys [F79089DE]
ZwSetSystemInformation F0 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7909550]
ZwSetValueKey F7 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7907ABE]
ZwSuspendProcess FD \??\C:\WINDOWS\system32\drivers\procguard.sys [F790813C]
ZwSuspendThread FE \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908A32]
ZwTerminateProcess 101 \??\C:\WINDOWS\system32\drivers\procguard.sys [F79080A6]
ZwTerminateThread 102 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7908A08]
ZwWriteVirtualMemory 115 \??\C:\WINDOWS\system32\drivers\procguard.sys [F7907FCA]

Number of Service Table entries hooked = 21

C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KprocCheck -g
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Checks Shadow SDT for Hooked Native GDI APIs

KeServiceDescriptorTableShadow 80559B40
KeServiceDescriptorTableShadow.SDE[1].ServiceTable BF997600
KeServiceDescriptorTableShadow.SDE[1].ServiceLimit 667

Entry 7 Hooked - snopfree.sys [F7A41E85]
Entry D Hooked - snopfree.sys [F7A41E01]
Entry BF Hooked - snopfree.sys [F7A41F13]
Entry E9 Hooked - snopfree.sys [F7A41EBC]
Entry 124 Hooked - snopfree.sys [F7A41E43]
Entry 17F Hooked - snopfree.sys [F7A41F46]
Entry 1CC Hooked - snopfree.sys [F7A41DA8]
Entry 1DD Hooked - snopfree.sys [F7A41FC6]
Entry 225 Hooked - \??\C:\WINDOWS\system32\drivers\procguard.sys [F79093EC]

Number of GDI Service Table entries hooked = 9

C:\Program Files\KProcCheck-0.2beta1\KProcCheck>KProcCheck -u
KProcCheck Version 0.2-beta1 Proof-of-Concept by SIG^2 (www.security.org.sg)

Support driver successfully unloaded."

Looking at the results of mine, can you see anywhere in that info anything that is likely to help you in what you're looking for at the moment? Pete

 

So I got some time today, and I ran a few tests using the software mentioned here, both in safe mode and in normal startup (which activates the trojan, naturally). I've taken screenies where possible, since I'm not an expert at system processes and will need your help distinguishing what's what.

Some things to note:

• In safe mode I run on minimal (msconfig's /safeboot) settings.
• KProcCheck cannot run (kernel support driver not loaded or somesuch) in safe mode.
• Kaspersky cannot be installed in either startup mode (unable to install InstallShield Scripting Runtime), but I think this might be due to me having installed other AVs. I'll look this one up.
• Process Explorer 'does not have debug privileges and runs with reduced capabilities' in safe mode.
• Nprotect still dies on normal startup, but surprisingly can still function (it still detects the tmp files).
• UnHackMe finds nothing in both modes.
• Antivir finds nothing in safe mode, did not run in normal (would've taken a matter of days at the rate it was scanning )
• A-squared finds nothing in safe mode.

The following replies contain screenies for ProcX and Process Explorer for both modes except KProcCheck, since it doesn't work in Safe Mode, and TDS (too long as well). The .rar attached has the TDS and HijackThis logs (change extension back to .rar before unzipping, naturally). Please take a look and tell me what you think. Thanks again.

PS. One last thing. I think we must deduce that the securers.dll file is actually STILL running even in safe mode, since none of the associated bad files are showing up. This is creepy.

 

ProcX in Safe Mode

Pretty bare here...

 

In normal startup, I have the Google Mail notifier, Sygate firewall, a custom skinning software package (ObjectBar and gang), an IP Filter (Protowall) and a HTTP Proxy (Proxomitron) running... so I can tell you about some of the files if they look suspicious.