Help
There is a rootkit file make of 10 random numbers-dot-10 more random numbers-dot-exe in the Windows folder.
There is a services file with random letters and numbers that points to this rootkit.
It screws up the header's of any file designed to remove the infection such that windows no longer recognizes them as programs.
The virus has also modified the ipsec.sys file such that when I tried running GMER it crashed with BSOD stating the ipsec.sys file as cause.
I replace both copies of the ipsec file (ddlcache & drivers folders) with known good copies and was able to get data from the GMER program.
Attached is the text file of this.
Would like some report on what this log file indicates. GMER mentioned data had been modifed by the rootkit.
Thanks
Quote
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-06 08:25:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1032GAX rev.AB221D
Running: gmer.exe; Driver: C:\DOCUME~1\Cheryl\LOCALS~1\Temp\pwlyapod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF765B87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF765BBFE]
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF75F0496]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\mbam.sys The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library C:\Program (*** hidden *** ) @ C:\Program [912] 0x00400000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{7E66D726-8820-73A4-5321-9A2D699F06E5}\aLtf@ {@nTIed~Qah|y\BNXkBWeNHsydUBZ|y
Reg HKLM\SOFTWARE\Classes\CLSID\{7E66D726-8820-73A4-5321-9A2D699F06E5}\wzZnPtikUIdmt@ PxZeWeWaigquxfk{cDhCt?FWKmTXcE@
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\$NtUninstallKB54230$\4204200706 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\bckfg.tmp 823 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\L 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\L\iahonoel 75264 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\80000032.@ 71168 bytes
---- EOF - GMER 1.0.15 ----
Rootkit scan 2011-10-06 08:25:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1032GAX rev.AB221D
Running: gmer.exe; Driver: C:\DOCUME~1\Cheryl\LOCALS~1\Temp\pwlyapod.sys
---- System - GMER 1.0.15 ----
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF765B87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF765BBFE]
SSDT szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwTerminateProcess [0xF75F0496]
---- Kernel code sections - GMER 1.0.15 ----
? C:\WINDOWS\system32\drivers\mbam.sys The system cannot find the file specified. !
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----
Library C:\Program (*** hidden *** ) @ C:\Program [912] 0x00400000
---- Registry - GMER 1.0.15 ----
Reg HKLM\SOFTWARE\Classes\CLSID\{7E66D726-8820-73A4-5321-9A2D699F06E5}\aLtf@ {@nTIed~Qah|y\BNXkBWeNHsydUBZ|y
Reg HKLM\SOFTWARE\Classes\CLSID\{7E66D726-8820-73A4-5321-9A2D699F06E5}\wzZnPtikUIdmt@ PxZeWeWaigquxfk{cDhCt?FWKmTXcE@
---- Files - GMER 1.0.15 ----
File C:\WINDOWS\$NtUninstallKB54230$\4204200706 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\bckfg.tmp 823 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\cfg.ini 199 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\kwrd.dll 208896 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\L 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\L\iahonoel 75264 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U 0 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\00000002.@ 209920 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB54230$\652675790\U\80000032.@ 71168 bytes
---- EOF - GMER 1.0.15 ----
Back to top
