Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

29841316-2418835964 Hiding A File


  • Please log in to reply
5 replies to this topic

#1 tequila_stealer

tequila_stealer

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:34 AM

Posted 16 July 2007 - 03:06 PM

i was sorting through my C drive and i came across a file named "hook" it contained the text

29841316-2418835964 HIDING A FILE

29844709-4041206886 HIDING A FILE

I thought it to be quite strange and was wondering if anyone else has had this, or heard of this before.....

thanks.

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,986 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:34 AM

Posted 16 July 2007 - 04:31 PM

Google had one hit. It treated it as a math problem.
29 844 709 - 4 041 206 886 = -4 011 362 177

Are you experiencing a problem with your computer?

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:10:34 PM

Posted 16 July 2007 - 04:35 PM

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#4 tequila_stealer

tequila_stealer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:34 AM

Posted 16 July 2007 - 04:48 PM

here is my GMER log


GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-16 22:47:31
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwCreateFile
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwOpenFile
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwQueryInformationProcess
SSDT \??\C:\WINDOWS\system32\windrvNT.sys ZwSetInformationFile
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\MSN Messenger\MsnMsgr.Exe[396] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [BA600404] avg7rsw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [BA61285A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA61285A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA61285A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [BA61285A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [BA61285A] avgtdi.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [BA600404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [BA600404] avg7rsw.sys

---- Files - GMER 1.0.13 ----

File C:\sccfg.sys

---- EOF - GMER 1.0.13 ----

#5 oldf@rt

oldf@rt

  • Members
  • 2,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Avondale, Arizona USA
  • Local time:10:34 PM

Posted 16 July 2007 - 08:50 PM

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\windrvNT.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html

Edited by oldf@rt, 16 July 2007 - 08:51 PM.

The name says it all -- 59 and holding permanently

**WARNING** Links I provide might cause brain damage

#6 tequila_stealer

tequila_stealer
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:34 AM

Posted 17 July 2007 - 08:06 AM

Nothing found.

i might have deleted the virus but just left this file here.

my computer seems to be running fine except for random restarts and wierd processor clock readings.

Thankyou for your help.



Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.17 no virus found
AntiVir 7.4.0.42 2007.07.17 no virus found
Authentium 4.93.8 2007.07.17 no virus found
Avast 4.7.997.0 2007.07.16 no virus found
AVG 7.5.0.476 2007.07.16 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.16 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.17 no virus found
eSafe 7.0.15.0 2007.07.16 no virus found
eTrust-Vet 30.8.3789 2007.07.17 no virus found
Ewido 4.0 2007.07.17 no virus found
FileAdvisor 1 2007.07.17 no virus found
Fortinet 2.91.0.0 2007.07.17 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.17 no virus found
Kaspersky 4.0.2.24 2007.07.17 no virus found
McAfee 5075 2007.07.16 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2402 2007.07.17 no virus found
Norman 5.80.02 2007.07.17 no virus found
Panda 9.0.0.4 2007.07.17 no virus found
Sophos 4.19.0 2007.07.16 no virus found
Sunbelt 2.2.907.0 2007.07.16 no virus found
Symantec 10 2007.07.17 no virus found
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.16 no virus found
VirusBuster 4.3.23:9 2007.07.16 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 no virus found
Aditional information
File size: 76 bytes
MD5: b979a7abf1a242eb959a61f866d18e48
SHA1: 47389a87fe031efcb5e59283a123998deda13e74




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users