BleepingComputer.com: Fake system warning msgs

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Fake system warning msgs

#1 User is offline   damiths 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 14
  • Joined: 24-March 10

Posted 08 August 2011 - 09:24 AM

Lately I have been getting fake system warnings and Error reports that causes pop ups every miniute or so to appear in my tray.

Warnings say things like

System Warning - Keep your computer safe from viruses and malicious programs

System warning - Spyware protection is disabled. Your personal data is at high risk of being stolen and misused

Error - Your computer is infected with Spyware! Detected malicious programs can damage your computer and compromise your privacy. It is strongly recommended to remove them immediately.

Usually I can click OK on these pop ups and nothing happens. But they appear over and over again making the PC very slow.

I run Win XP / SP3.

Tried to run the DDS log but it appeared for a min and closed when I double clicked on the file.

Below in the GMER log.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-08-09 00:23:25
Windows 5.1.2600 Service Pack 3, v.6055 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD400BB-00JHC0 rev.05.01C05
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kfadiaob.sys


---- System - GMER 1.0.15 ----

SSDT spqz.sys ZwCreateKey [0xF73E70E0]
SSDT spqz.sys ZwEnumerateKey [0xF73FFDA4]
SSDT spqz.sys ZwEnumerateValueKey [0xF7400132]
SSDT spqz.sys ZwOpenKey [0xF73E70C0]
SSDT spqz.sys ZwQueryKey [0xF740020A]
SSDT spqz.sys ZwQueryValueKey [0xF740008A]
SSDT spqz.sys ZwSetValueKey [0xF740029C]

INT 0x62 ? 8438BBF8
INT 0x73 ? 84319BF8
INT 0x82 ? 8438BBF8
INT 0x83 ? 8438BBF8
INT 0x83 ? 8438BBF8
INT 0x83 ? 84319BF8
INT 0x83 ? 8438BBF8
INT 0xB4 ? 84319BF8

---- Kernel code sections - GMER 1.0.15 ----

? spqz.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F719E8AC 5 Bytes JMP 843191D8
.text af5j765r.SYS F714D386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text af5j765r.SYS F714D3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text af5j765r.SYS F714D3C4 3 Bytes [00, 80, 02]
.text af5j765r.SYS F714D3C9 1 Byte [30]
.text af5j765r.SYS F714D3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0152000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0153000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0151000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!SetWindowLongA 7E41DE3D 5 Bytes JMP 1068EDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!SetWindowLongW 7E41DE5B 5 Bytes JMP 1068ED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!GetWindowInfo 7E41E142 5 Bytes JMP 104A5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[1040] USER32.dll!TrackPopupMenu 7E465316 5 Bytes JMP 104A5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E0000A
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1044] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00DF000C
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!GetCursorPos 7E41BD6E 5 Bytes JMP 01A7000A
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!WindowFromPoint 7E41BD86 5 Bytes JMP 01A8000A
.text C:\WINDOWS\system32\svchost.exe[1044] USER32.dll!GetForegroundWindow 7E41BE43 5 Bytes JMP 01A9000A
.text C:\WINDOWS\system32\svchost.exe[1044] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01A6000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BB000A
.text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B9000C

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 843891F8
Device \FileSystem\Fastfat \FatCdrom 8400C1F8

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP8132 \Device\00000040 spqz.sys
Device \Driver\PCI_PNP8132 \Device\00000040 spqz.sys
Device \Driver\usbuhci \Device\USBPDO-0 8433E1F8
Device \Driver\usbuhci \Device\USBPDO-1 8433E1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8438C1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8438C1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8438C1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8438C1F8
Device \Driver\usbuhci \Device\USBPDO-2 8433E1F8
Device \Driver\usbuhci \Device\USBPDO-3 8433E1F8
Device \Driver\usbehci \Device\USBPDO-4 8433A1F8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8438D1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8438D1F8
Device \Driver\Cdrom \Device\CdRom0 843181F8
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8428731B
Device \Driver\atapi \Device\Ide\IdePort0 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-1b 8428731B
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1b [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8428731B
Device \Driver\atapi \Device\Ide\IdePort1 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8428731B
Device \Driver\atapi \Device\Ide\IdePort2 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8428731B
Device \Driver\atapi \Device\Ide\IdePort3 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T1L0-10 8428731B
Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-10 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-8 8428731B
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-8 [F733BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Ftdisk \Device\HarddiskVolume3 8438D1F8
Device \Driver\Cdrom \Device\CdRom1 843181F8
Device \Driver\Cdrom \Device\CdRom2 843181F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 840621F8
Device \Driver\NetBT \Device\NetbiosSmb 840621F8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 8433E1F8
Device \Driver\usbuhci \Device\USBFDO-1 8433E1F8
Device \Driver\USBSTOR \Device\0000007b 83E9E1F8
Device \Driver\usbuhci \Device\USBFDO-2 8433E1F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{B8DA7D0F-61CD-413E-8F06-AD2FFC6C8F93} 840621F8
Device \Driver\USBSTOR \Device\0000007c 83E9E1F8
Device \Driver\usbuhci \Device\USBFDO-3 8433E1F8
Device \Driver\usbehci \Device\USBFDO-4 8433A1F8
Device \Driver\Ftdisk \Device\FtControl 8438D1F8
Device \Driver\sptd \Device\707291882 spqz.sys
Device \Driver\af5j765r \Device\Scsi\af5j765r1Port4Path0Target0Lun0 842061F8
Device \Driver\af5j765r \Device\Scsi\af5j765r1 842061F8
Device \FileSystem\Fastfat \Fat 8400C1F8
Device \FileSystem\Cdfs \Cdfs 8402A1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x85 0x09 0x74 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x95 0x5A 0x1B 0xCB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x00 0x0D 0x7C 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x85 0x09 0x74 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x95 0x5A 0x1B 0xCB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x00 0x0D 0x7C 0x40 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB32708$\2357857457 0 bytes
File C:\WINDOWS\$NtUninstallKB32708$\2357857457\L 0 bytes
File C:\WINDOWS\$NtUninstallKB32708$\2357857457\U 0 bytes
File C:\WINDOWS\$NtUninstallKB32708$\824289560 0 bytes

---- EOF - GMER 1.0.15 ----

#2 User is offline   Budapest 

  • Bleepin' Cynic
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Moderator
  • Posts: 22,242
  • Joined: 11-November 06
  • Gender:Male

Posted 08 August 2011 - 06:38 PM

As you are being helped here: http://www.bleepingcomputer.com/forums/topic413382.html I will close this topic.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users