BleepingComputer.com: Persistent malware/possible rootkit?

Yay! only one more. and may it be shorter than dr.web

I got distracted and havent reread the gmer instructions - ill go read now in case i need to ask anything

This post has been edited by balfiecat: 21 January 2010 - 07:31 AM

Having a wee bit of difficulty downloading - web pages are taking forever to open and I just realized that AVG is downloading auto update. Good grief. It says i am downloading at 64 bytes/sec and less

And the GMER page hasnt even opened yet. can i cancel an update or will it cause problems later?

It had a cancel button I had not noticed so i canceled

Psss n Should I not rename the GMER exe file if I end up using the zip file? Or will it be too late then ie the malware will have already identified it if it is able to?

This post has been edited by balfiecat: 21 January 2010 - 07:31 AM

Quote

If I recieve a warning will it be during the scan or at the end? And if I click on scan am I simply continuing the quick scan because it was halted to give the warning? Or am I doing another scan? Am I allowing it to take any action or is just going to provide info?

I think I will end up getting the zip - it appears to be still attempting to dl.

I'm off to run GMER. Simple it seems but I feel intimidated

This post has been edited by balfiecat: 21 January 2010 - 07:55 AM

I may have messed up. When the scan stopped (quick scan) I tried to copy paste the result to notepad in case it didnt show up in the next log (as was the case with another one). My pc froze. It wouldnt even end program for notepad for awhile. I am wondering if I misunderstood what you meant when you said not to use it during the scan It finally 9just now close Notepad and I think I am supposed to click on scan now (I am on my son's friend's old pc right now).

When I tried to restore the GMER window (I had finally minimized it to try to get to the close program box for notepad) I could not see all of the image. Now I am not sure If i clicked on Ok or Scan. Whatever, it seemed to be not responding. Now, 10 minutes or so later it has an hour glass at the top of the window. I think I killed GMER.

I do not know whether I should just leave it till morning and see if it recovers or force either it to close or the pc to shut down.

And when I started to type in Google search to come here I had picked up the wrong keyboard so after I clicked on either ok or scan I did something on my PC, albeit not much, but you said not to do anything on it during the scan. Of course I am not sure at all it is scanning... The window doesn't fully appear .

I see you! I thought you would be in bed sleeping soundly - middle of the night for you I thought.

I think I may have really made a mess and I do not know how to tell or what to do if I have or if waiting can make it worse or not.

This post has been edited by balfiecat: 21 January 2010 - 10:18 AM

After an hour and a half .... it is frozen!

Shut down the computer as best you can.

Start the computer again. Let us know that you survived!

PS It is 2.15am .... and just having a wee look in between sleeps.
'Alien
Don't worry about the other post .... it's OK, and I will get it fixed.

Edit: "knight in shining armour" ... you are too kind

This post has been edited by AustrAlien: 21 January 2010 - 10:21 AM

Thank you , you really are incredibly patient, helpful and just plain nice.

How embarrassing. It booted right up no problem at all. Should I try again? And not try to get that first log?

Edit: Well you really have been Rescued me from a not nice forum and the Hades that is technology sometimes , especially when you do not know how to use it.

Think I am going to take a nap (6:30 am)

This post has been edited by balfiecat: 21 January 2010 - 10:40 AM

balfiecat, on Jan 22 2010, 02:33 AM, said:

So pleased! You and me both ...

Let's try that again. This time, do nothing else but follow the instructions.

It is quite possible that it will freeze again .... it is a common problem, and not just with gmer. If gmer doesn't work for you, we will try something else.

Okay, going to do that now. It is 11 am here and I have an appointment at 1 so I might not reappear until late today. Thank you!

Edit: It is running the scan now. I looked at the pathway of that file swfmediabrowser.zip and it is indeed something I downloaded else it would not be in that folder. I do not remember it and do not think I ever ran it , but at some point I thought it would be a good idea to have whatever it is . Lessons learned..... I have installed something called Veogh to download Star gate Television Episodes - is there a way I can determine if that is a legitimate source? I did not think it was p2p like Torrent and thought it was safe but I don't know how to tell.

Edit 2 : http://download.cnet.com/SWF-Media-Browser...4-10264432.html - I bet this is where I downloaded swfmediabrowser.zip. I doubt I would have ever run it though. I download software intending to try it and usually never get around to it . Cnet is the place I am most likely to do this because I trust their reviews (and am now questioning whether my trust was misplaced)

In between a list of SSDT and IAT types the scan has a ? and for file srescan.sys and says The system can not find the file specified . No warnings yet

I've got to go. Look forward to posting a clean scan later

This post has been edited by balfiecat: 21 January 2010 - 03:51 PM

I am not sure if GMER finished or not. There was a file name in the staus bar at the bottom and the buttons I could choose to click on were STOP, SAVE, or .... I have forgotten. There was a list of things and it did save a file when i clicked on save. then it helpfully froze again and i had to shut down the pc with the power button.

Below is the information from the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-21 18:20:34
Windows 5.1.2600 Service Pack 3
Running: 7fvwrqc7.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xAA049FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xAA046C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xAA061170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xAA04A580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xAA04A670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xAA047210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xAA0619F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xAA0617A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xAA061F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xAA061F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xAA047070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xAA0626F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xAA062150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xAA049BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xAA062540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xAA047440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xAA0614E0]

---- Kernel code sections - GMER 1.0.15 ----

? srescan.sys The system cannot find the file specified. !
init C:\WINDOWS\System32\Drivers\sunkfilt.sys entry point in "init" section [0xF7930300]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [AA04CE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [AA04CE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [AA04CE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AA04CE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [AA04CE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AA04EB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AA04CE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AA04F260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AA04E930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- Devices - GMER 1.0.15 ----

Device \Driver\USBSTOR \Device\0000009b sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Quote

Is that supposed to be all one line? The phrase " specified. !" looks as though something is missing.

Most of the results are about Zone Alarm and from what i am reading that missing file is no longer necessary for Zone Alarm, but has been used by trojans in earlier versions. I have been using Zone Alarm on the Gateway ever since I got the computer in 2006 and maybe late 2005.

According to your friend Google, sunkfilt.sys "belongs to the software Digital Media Reader or Multimedia Card Reader or Alcor Micro Corp - or eMachines Bay Reader or Alcor Micro Corp Reader by Alcor Micro Corp." I guess it is possible I used to have one. i currently use Sandisk ImageMate 8 in 1 card reader. Or is it referring to something else and I do not understand (like something to do with that

And i still have no idea what any of it means ....

Edit: Hmm. I just looked at someone elses scan result and mine is missing some things. like the end of scan log phrase , "---- EOF - GMER 1.0.15 ----"

I guess it really had stopped. it was at the same file it had been when I left hours earlier so i thought maybe it had just finished there. So safe mode is it. Ugh.

-- I tried to turn everything off in AVG like updates, I've-forgotten-the-name-Shield, email and link scanner and i exited Zone Alarm. Was there something else I did not do that i could try to help it not freeze?

This post has been edited by balfiecat: 21 January 2010 - 11:38 PM

Hmmmm ..... the good news: gmer revealed nothing sinister ... oh, and your computer is still alive!
the bad news: gmer did not finish scanning

>>> result: one very suspicious 'Alien!
------------------------------------------------

I am more concerned about what gmer did not report, than what it did report.
I am going to request some assistance at this stage. I will ask someone with more experience to review the situation.

Please give us an update on how your computer is behaving now.
Sit tight: Be back to you when I have something to report.

Oh! Okay. I should not try to run it in safemode?

That really is good news that my computer is still alive! I was really scared I had killed GMER last night and my operating system with it!

It had not occured to me to be concerned about what it did not report. I am wondering if you are thinking something evil is stopping it from finishing. Oh I so hope not.

Thank you so much for all of your time and help!

This post has been edited by balfiecat: 21 January 2010 - 11:46 PM

balfiecat, on Jan 22 2010, 03:42 PM, said:

Hey, at least one of us has our brain in gear!

What a good idea.
Sounds like you are game to have a go: That is very brave of you.
Give it a whirl and let's see what happens. I'll hold off on that help request, in that case.
'Alien

Edit: "I am wondering if you are thinking something evil is stopping it from finishing."
Yes, something like that!
Also ... when I suggested that you post at BleepingComputer because I thought you had some serious malware ... I was expecting to find it, or at least some evidence of its existence, and then to have to refer you to post in the specialised HJT/Malware Removal Forum for expert assistance. Well, I have not found it yet .... and I do not think it would have ?evaporated!

This post has been edited by AustrAlien: 22 January 2010 - 12:00 AM