BleepingComputer.com: Hacktool Rootkit virus

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

Hacktool Rootkit virus Can't remove it

#1 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

  Posted 20 November 2009 - 01:10 PM

I started getting redirected from search links. Then it also started to open new tabs and/or windows to other sites. My Windows Explorer keeps stopping and having to close and restart. It took a couple scans for my Norton 360 to find it but said it cleaned a hacktool rootkit virus, but the problems still persisted after reboot. I have gone through most of my processes and registry and have removed everything I found that shouldn't have been there and have ran more scans with ccleaner, Microsoft Malicious Software remover, Norton, Spyware Doctor and they still don't find anything. And last night it started to play radio out of nowhere without opening any programs and I can't find it in the processes anywhere. I also couldn't rune the RootRepeal because it would lock entire computer up and sometimes give me blue screen.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 12:04:55.98 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2046.1133 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\AASP\1.00.33\aaCenter.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Windows\System32\wpcumi.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton 360\Engine\3.5.2.11\ccSvcHst.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\Taskmgr.exe
C:\Users\Administrator\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.5.2.11\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.5.2.11\coIEPlg.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [AdobeBridge]
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15109/CTPID.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton 360\engine\3.5.2.11\CoIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\appdata\roaming\mozilla\firefox\profiles\lxjkc682.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-18 207280]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0305020.00b\SymEFA.sys [2009-8-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0305020.00b\BHDrvx86.sys [2009-8-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0305020.00b\cchpx86.sys [2009-8-31 482432]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20091111.001\IDSvix86.sys [2009-11-12 343088]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-18 112592]
R2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.5.2.11\ccSvcHst.exe [2009-8-31 117640]
R2 wlidsvc;Windows Live ID Sign-in Assistant;c:\program files\common files\microsoft shared\windows live\WLIDSVC.EXE [2009-3-30 1533808]
R3 c65013264;C-Media CM6501 Like Sound UDAX Interface;c:\windows\system32\drivers\c6501.sys [2009-1-10 1298944]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-26 102448]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\n360\0305020.00b\symndisv.sys [2009-8-31 48688]
S2 gupdate1c9cdcf85b107a4;Google Update Service (gupdate1c9cdcf85b107a4);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 Creative ALchemy AL6 Licensing Service;Creative ALchemy AL6 Licensing Service;c:\program files\common files\creative labs shared\service\AL6Licensing.exe [2009-9-22 79360]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-9-22 79360]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-4-18 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 rootrepeal;rootrepeal;c:\windows\system32\drivers\rootrepeal.sys [2009-11-20 34816]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-18 358600]

=============== Created Last 30 ================

2009-11-20 17:36:58 34816 ----a-w- c:\windows\system32\drivers\rootrepeal.sys
2009-11-19 19:14:43 0 ----a-w- c:\windows\system32\settings.dat
2009-11-19 09:03:31 0 d-----w- c:\program files\Trend Micro
2009-11-19 04:54:52 883 ----a-w- c:\windows\RegSDImport.xml
2009-11-19 04:54:52 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-19 04:54:52 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-19 04:54:52 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-19 04:54:52 1636304 ----a-w- c:\windows\PCTBDCore.dll
2009-11-19 04:54:52 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-19 04:54:52 131 ----a-w- c:\windows\IDB.zip
2009-11-19 04:54:52 1152470 ----a-w- c:\windows\UDB.zip
2009-11-19 04:53:21 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-19 04:53:20 97208 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2009-11-19 04:53:20 229304 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-19 04:53:16 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-19 04:53:16 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-19 04:53:16 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-19 04:53:16 207280 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-19 04:53:05 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-19 04:53:05 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-19 04:52:51 0 d-----w- c:\users\admini~1\appdata\roaming\PC Tools
2009-11-19 04:52:51 0 d-----w- c:\programdata\PC Tools
2009-11-19 04:52:51 0 d-----w- c:\program files\Spyware Doctor
2009-11-19 04:52:51 0 d-----w- c:\program files\common files\PC Tools
2009-11-19 04:17:07 0 d-----w- c:\program files\CCleaner
2009-11-18 05:15:46 0 d-----w- C:\$WINDOWS.~BT
2009-11-14 01:38:09 65 ----a-w- c:\windows\FISHUI.INI
2009-11-11 02:14:12 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 02:14:06 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-10 05:17:50 0 d-----w- c:\program files\Windows Portable Devices
2009-11-10 05:17:40 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-10 05:17:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-10 05:16:07 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-11-10 05:16:01 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-11-10 05:16:01 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-11-10 05:13:54 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-11-10 05:12:33 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-10 05:12:32 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-10 05:12:32 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-10 05:11:55 48823 ----a-w- c:\programdata\nvModes.dat
2009-11-05 18:00:29 24 ---h--w- c:\windows\msbgctb.ini
2009-11-05 18:00:29 24 ---h--w- c:\windows\msbgcta.ini
2009-11-05 17:59:37 137000 ----a-w- c:\windows\system32\msmapi32.ocx
2009-11-04 16:43:21 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-01 19:59:47 0 d-----w- c:\programdata\Research In Motion
2009-11-01 19:58:57 67 ----a-w- c:\windows\Power Video Converter.INI
2009-11-01 19:58:29 0 d-----w- c:\program files\Power Video Converter
2009-10-28 21:37:49 0 d-----w- c:\users\administrator\.idlerc
2009-10-28 16:14:30 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 16:14:29 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-26 18:29:13 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-26 18:28:28 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-26 18:28:11 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-26 18:28:11 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-26 01:29:53 722416 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-10-22 15:34:01 549 ----a-w- c:\users\admini~1\appdata\roaming\settings.dat

==================== Find3M ====================

2009-11-14 04:10:23 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-10 05:32:16 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-11-10 05:32:16 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-11-10 05:31:04 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-10 05:31:02 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-10 05:17:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-16 08:11:56 1168896 ----a-w- c:\windows\system32\drivers\P17.sys
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 16:05:14 232712 ----a-w- c:\windows\system32\PDBoot.exe
2009-10-02 16:50:28 315392 ----a-w- c:\windows\system32\TubeFinder.exe
2009-10-02 15:02:45 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-10-01 01:02:17 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02:05 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02:04 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:01:59 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01:54 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01:50 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-25 02:10:10 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27:25 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27:04 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-10 16:48:01 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 11:41:59 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-25 08:31:18 613503 ----a-w- c:\windows\system32\APOIM32.exe
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-05-29 17:39:07 8 --sha-r- c:\windows\system32\5B02780D30.sys
2008-05-29 17:39:08 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 12:06:02.14 ===============
Attached File  Attach.txt (15.68K)
Number of downloads: 8

#2 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 20 November 2009 - 05:23 PM

ok I opened CMD and waited for the music to start. here is a list of dll's that the process was running


Image Name PID Modules
========================= ======== ============================================
iexplore.exe 4228 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
msvcrt.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, iertutil.dll, urlmon.dll,
OLEAUT32.dll, IMM32.DLL, MSCTF.dll,
LPK.DLL, USP10.dll, comctl32.dll,
comdlg32.dll, COMCTL32.dll, winmm.dll,
OLEACC.dll, WININET.dll, Normaliz.dll,
imagehlp.dll, mswsock.dll, WS2_32.dll,
NSI.dll, IEFRAME.dll, Secur32.dll,
NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL,
SAMLIB.dll, VERSION.dll, wshtcpip.dll,
wship6.dll, NLAapi.dll, IPHLPAPI.DLL,
dhcpcsvc.DLL, DNSAPI.dll, WINNSI.DLL,
dhcpcsvc6.DLL, napinsp.dll, pnrpnsp.dll,
uxtheme.dll, winrnr.dll, rasadhlp.dll,
rsaenh.dll, apphelp.dll, CLBCatQ.DLL,
RASAPI32.dll, rasman.dll, NETAPI32.dll,
TAPI32.dll, rtutils.dll, USERENV.dll,
CRYPT32.dll, MSASN1.dll, credssp.dll,
schannel.dll, sensapi.dll, IEUI.dll,
MSIMG32.dll, ACTXPRXY.DLL, ieproxy.dll,
PROPSYS.dll, SETUPAPI.dll, xmllite.dll,
msfeeds.dll, SXS.DLL, MLANG.dll,
mssprxy.dll, msxml3.dll
iexplore.exe 5484 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
msvcrt.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, iertutil.dll, urlmon.dll,
OLEAUT32.dll, IMM32.DLL, MSCTF.dll,
LPK.DLL, USP10.dll, comctl32.dll,
comdlg32.dll, COMCTL32.dll, winmm.dll,
OLEACC.dll, WININET.dll, Normaliz.dll,
imagehlp.dll, mswsock.dll, WS2_32.dll,
NSI.dll, IEFRAME.dll, IEShims.dll,
uxtheme.dll, USERENV.dll, Secur32.dll,
PROPSYS.dll, CLBCatQ.DLL, SETUPAPI.dll,
rsaenh.dll, ieproxy.dll, ACTXPRXY.DLL,
apphelp.dll, NTMARTA.DLL, WLDAP32.dll,
PSAPI.DLL, SAMLIB.dll, VERSION.dll,
RASAPI32.dll, rasman.dll, NETAPI32.dll,
TAPI32.dll, rtutils.dll, CRYPT32.dll,
MSASN1.dll, credssp.dll, schannel.dll,
sensapi.dll, wshtcpip.dll, MLANG.dll,
NLAapi.dll, IPHLPAPI.DLL, dhcpcsvc.DLL,
DNSAPI.dll, WINNSI.DLL, dhcpcsvc6.DLL,
rasadhlp.dll, wship6.dll, napinsp.dll,
pnrpnsp.dll, winrnr.dll, coIEPlg.dll,
MSVCP80.dll, MSVCR80.dll, ccL80U.dll,
RICHED20.DLL, SYMHTML.DLL,
AcroIEHelper.dll, PCTBrowserDefender.dll,
PCTBDCore.dll, dbghelp.dll, msxml3.dll,
mshtml.dll, msls31.dll, ccVrTrst.dll,
WinTrust.dll, EFACli.dll, ccSet.dll,
ccIPC.dll, coUICtlr.dll, coWPPlg.dll,
Cabinet.dll, WINHTTP.dll, isDataPr.dll,
IVPlugin.dll, FFPrefs.dll, rf.dll,
WINSPOOL.DRV, oledlg.dll, OLEPRO32.DLL,
ccGEvt.dll, coParse.dll, IPSBHO.DLL,
Scxpx86.dll, WindowsLiveLogin.dll,
msidcrl40.dll, hpswp_BHO.dll, gdiplus.dll,
UtilityLib.dll, RsrcLoaderLib.dll,
ATL80.DLL, NeoLoggingLib.dll,
SatelliteENU.dll, ClipBookDBComponent.dll,
SXS.DLL, msimtf.dll, jscript.dll,
ccsubeng.dll, iepeers.dll, Flash10c.ocx,
mscms.dll, wdmaud.drv, ksuser.dll,
MMDevAPI.DLL, AVRT.dll, AUDIOSES.DLL,
audioeng.dll, msacm32.drv, MSACM32.dll,
midimap.dll, ImgUtil.dll, pngfilt.dll,
MSOXMLMF.DLL

#3 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 27 November 2009 - 08:19 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.

  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.


  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

----------------------------------------------

Can you run RootRepeal

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.

    First Location
    Second Location
    Third Location


  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#4 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 30 November 2009 - 01:41 AM

no I can't it just freezes up my entire computer and I have to do a hard reboot

#5 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 30 November 2009 - 04:41 PM

Okay, let's run a small program to try and work out what's orchestrating this all.

Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.


Then

Please copy the contents of the code box below, open notepad and paste it there. On the top toolbar in notepad select file, then save as. In the box that opens type in peek.bat for the file name. Right below that click the down arrow in the line for save as and select all files. Save this to your desktop and close notepad. 

@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0


Locate the peek.bat icon on your desktop and double click it. Then copy and paste the resulting log in your next reply.

Thanks :(
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#6 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 03 December 2009 - 08:24 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#7 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 05 December 2009 - 07:38 AM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#8 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 17 December 2009 - 05:10 PM

Win32kdiag.exe

Running from: C:\Users\Administrator\Desktop\Win32kDiag.exe

Log file at : C:\Users\Administrator\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...



Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

Attempting to restore permissions of : C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl



Finished!


Peek.bat

Volume in drive C has no label.
Volume Serial Number is FCD8-7D07

Directory of C:\WINDOWS\System32

04/11/2009 12:28 AM 177,152 scecli.dll

Directory of C:\WINDOWS\System32

04/11/2009 12:28 AM 592,896 netlogon.dll

Directory of C:\WINDOWS\System32

11/02/2006 03:46 AM 11,776 cngaudit.dll
3 File(s) 781,824 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6

11/02/2006 03:46 AM 11,776 cngaudit.dll
1 File(s) 11,776 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12

01/20/2008 08:24 PM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e

04/11/2009 12:28 AM 177,152 scecli.dll
1 File(s) 177,152 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857

01/20/2008 08:24 PM 592,384 netlogon.dll
1 File(s) 592,384 bytes

Directory of C:\WINDOWS\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3

04/11/2009 12:28 AM 592,896 netlogon.dll
1 File(s) 592,896 bytes

Total Files Listed:
8 File(s) 2,333,184 bytes
0 Dir(s) 404,312,649,728 bytes free

#9 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 17 December 2009 - 09:57 PM

Oh, and I don't have a desktop or system tray. I get a system shell error notification icon. I have to use the file system and use run through task manager, well Process explorer is what I use.

This post has been edited by Jlegion: 17 December 2009 - 09:59 PM

#10 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 22 December 2009 - 05:46 PM

Download and Run RKill

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Then

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Thanks :(
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#11 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 27 December 2009 - 07:51 AM

Hi,

I have not had a reply from you for 5 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,

m0le
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#12 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 27 December 2009 - 03:12 PM

yes I still have the issue and am doing the last suggestion now. I was at my family's for christmas

#13 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 27 December 2009 - 03:59 PM

rkill ran fine, but it would close my explorer.exe process. Comfix.exe doesn't work, the little blue box flashes to quick to read it all but it starts with Access Denied and restarts my computer. I saved it to my desktop and renamed it to comfix.exe as instructed. I also disabled my norton anti-virus and firewall before running. When I would run the Comfix.exe it would say that cd emulator engines were running and had to disable them before continuing, click ok, and that is when blue box would get writing in it, close and restart my pc. I am not sure if has anything to do with the problem with the program but as I stated before, I have no desktop or system tray. I have to use the explorer.exe process to access the file system and that is how I navigate my computer. Oh, and I have noticed that my USB's do not work.

#14 User is offline   m0le 

  • I know the drill!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 27,020
  • Joined: 24-July 08
  • Gender:Male
  • Location:London, UK

Posted 27 December 2009 - 04:22 PM

Can you run ExeHelper and then Gmer

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Then

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
If I have helped you fix your PC then please donate to the anti-malware cause. Thanks

Posted Image
m0le is a proud member of UNITE (Unified Network of Instructors and Trusted Eliminators)

#15 User is offline   Jlegion 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 22
  • Joined: 19-November 09

Posted 27 December 2009 - 04:58 PM

exeHelper by Raktor
Build 20091220
Run at 15:34:28 on 12/27/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished

=====================================================================================================
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-27 15:56:09
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\uxldapod.sys


---- System - GMER 1.0.15 ----

SSDT 871A1150 ZwAlertResumeThread
SSDT 86F375D8 ZwAlertThread
SSDT 87372320 ZwAllocateVirtualMemory
SSDT 86BFE1D0 ZwAlpcConnectPort
SSDT 86AF3430 ZwAssignProcessToJobObject
SSDT 87300008 ZwCreateMutant
SSDT 87301920 ZwCreateSymbolicLinkObject
SSDT 86E56FB0 ZwCreateThread
SSDT 86FAB3C0 ZwDebugActiveProcess
SSDT 87372530 ZwDuplicateObject
SSDT 87346B28 ZwFreeVirtualMemory
SSDT 86FAADC0 ZwImpersonateAnonymousToken
SSDT 87003E28 ZwImpersonateThread
SSDT 86BDCE18 ZwLoadDriver
SSDT 873469C8 ZwMapViewOfSection
SSDT 86469810 ZwOpenEvent
SSDT 87372790 ZwOpenProcess
SSDT 86E1C150 ZwOpenProcessToken
SSDT 86F1AC48 ZwOpenSection
SSDT 87372640 ZwOpenThread
SSDT 8755FF80 ZwProtectVirtualMemory
SSDT 86BE56B8 ZwResumeThread
SSDT 874CC150 ZwSetContextThread
SSDT 86E7D818 ZwSetInformationProcess
SSDT 8727C150 ZwSetSystemInformation
SSDT 86FDE150 ZwSuspendProcess
SSDT 87309150 ZwSuspendThread
SSDT 86E41538 ZwTerminateProcess
SSDT 86E01E80 ZwTerminateThread
SSDT 87041410 ZwUnmapViewOfSection
SSDT 87346EB8 ZwWriteVirtualMemory
SSDT 87301E70 ZwCreateThreadEx

INT 0x52 ? 84059BF8
INT 0x62 ? 84059BF8
INT 0x63 ? 84058EB0
INT 0x84 ? 85871BF8
INT 0xB3 ? 84058EB0
INT 0xB4 ? 85871BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81EAC860 8 Bytes [50, 11, 1A, 87, D8, 75, F3, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81EAC874 4 Bytes [20, 23, 37, 87]
.text ntkrnlpa.exe!KeSetEvent + 13D 81EAC880 4 Bytes [D0, E1, BF, 86]
.text ntkrnlpa.exe!KeSetEvent + 191 81EAC8D4 4 Bytes [30, 34, AF, 86]
.text ntkrnlpa.exe!KeSetEvent + 1F5 81EAC938 4 Bytes [08, 00, 30, 87]
.text ...
? System32\Drivers\spdy.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 87FE141B 5 Bytes JMP 858711D8

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[772] ole32.dll!CoCreateInstance 75EF9EA6 5 Bytes JMP 0098000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806116D6] \SystemRoot\System32\Drivers\spdy.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80611042] \SystemRoot\System32\Drivers\spdy.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80611800] \SystemRoot\System32\Drivers\spdy.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806110C0] \SystemRoot\System32\Drivers\spdy.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8061113E] \SystemRoot\System32\Drivers\spdy.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [80620E9C] \SystemRoot\System32\Drivers\spdy.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74237817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7428A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7423BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7422F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [742375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7422E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74268395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7423DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7422FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7422FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [742271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [742BCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7425C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7422D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74226853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7422687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74232AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84E401F8
Device \FileSystem\udfs \UdfsCdRom 871CC1F8
Device \FileSystem\udfs \UdfsDisk 871CC1F8
Device \Driver\volmgr \Device\VolMgrControl 8405B1F8
Device \Driver\usbohci \Device\USBPDO-0 859C5500
Device \Driver\usbehci \Device\USBPDO-1 859C2500

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\volmgr \Device\HarddiskVolume1 8405B1F8
Device \Driver\cdrom \Device\CdRom0 859D0500
Device \Driver\cdrom \Device\CdRom1 859D0500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E3E1F8
Device \Driver\atapi \Device\Ide\IdePort0 84E3E1F8
Device \Driver\atapi \Device\Ide\IdePort1 84E3E1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-2 84E3E1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 86E06358
Device \Driver\netbt \Device\NetBT_Tcpip_{5C3CFCCB-8DD4-4719-9428-72B084B51BD0} 86E06358
Device \Driver\Smb \Device\NetbiosSmb 86DF0420
Device \Driver\nvstor32 \Device\RaidPort0 84E3F1F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvstor32 \Device\RaidPort1 84E3F1F8

AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\iScsiPrt \Device\RaidPort2 8598E500
Device \Driver\usbohci \Device\USBFDO-0 859C5500
Device \Driver\usbehci \Device\USBFDO-1 859C2500
Device \Driver\00001816 -> \Driver\nvstor32 \Device\Harddisk0\DR0 87076E07

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x38 0x0F 0x98 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x38 0x0F 0x98 0x02 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\nvstor32.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users