Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rustock.b Rootkit? Maybe Not!


  • This topic is locked This topic is locked
14 replies to this topic

#1 Brian 23

Brian 23

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 19 September 2007 - 09:15 AM

I have been working on this one for about two weeks. It started when I noticed some weird traffic in my firewall logs. It was showing that my computer was trying to connect to 111.111.111.111 port X (x would just count by one). I ran the following:

HiJack This = nothing (log attached)
SpyBot = nothing
Adaware = nothing
SUPERAntiSpyware Free Edition = nothing

GMER = noticed that there was an Iexplore.exe hidden process. Everytime I kill it, it comes back
RootKit Unhooker = same as above


Once I kill the process I can see it reloading in Process Explorer. As soon as I kill the process in RKU, NTGUARD.EXE flashes in Process Explorer and then IEXPLORE.EXE then they both disappear. Only to find the hidden process back in RKU.

I ran Combo Fix and it shows that I have the Rustok.b rootkit
________________________________________________________________________
Rootkit driver pe386 is still present. A rootkit scan is required
Rootkit driver msguard is still present. A rootkit scan is required
Rootkit driver lzx32 is still present. A rootkit scan is required
Rootkit driver huy32 is still present. A rootkit scan is required
Rootkit driver xpdt is still present. A rootkit scan is required
_______________________________________________________________________

I downloaded rustbfix.exe and it says:
No Rustock.b-rootkits found

Please if you can offer any help, it would be appreciated.

Running Win XP Pro
Intel 3.4Ghz
1 GB RAM
Up to date on all Windows Patches
Use Symantec Corp Edi for Anti-Virus (Def files are up to date)

Attached Files



BC AdBot (Login to Remove)

 


#2 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 20 September 2007 - 11:23 AM

No replies yet? I thought there were some expert moderators here.

#3 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 22 September 2007 - 03:00 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Although you said the program did not work, I would still like to see its log just to make sure.

Double click on rustbfix.exe to run the tool.
If a "Rustock.b" infection is found, you will shortly be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed, but this will happen automatically.
After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the content of these logfiles in your next reply, along with a new HijackThis log.
Thanks,
Charles

Edited by rookie147, 22 September 2007 - 03:01 PM.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#4 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 23 September 2007 - 05:28 PM

I did that already. Results are:

No Rustock.b-rootkits found


You want me to run it again?

#5 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 23 September 2007 - 05:29 PM

Sorry Charles, I just read your post again. I will run it and post the logs Monday morning.

#6 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 24 September 2007 - 09:37 AM

Two logs from Rustbfix.exe attached. Also attached new HiJack log.

Attached Files



#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 24 September 2007 - 04:18 PM

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#8 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 24 September 2007 - 04:56 PM

ComboFix Log attached.

Also, below is what the firewall logs looks like. 10.10.11.112 is my machine.

05/22/80 23:01 http-proxy[31033]: [10.10.11.112:3489 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:01 http-proxy[28804]: [10.10.11.112:3490 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:01 http-proxy[28804]: [10.10.11.112:3492 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:01 http-proxy[28804]: [10.10.11.112:3493 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:01 http-proxy[28804]: [10.10.11.112:3494 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:01 http-proxy[28804]: [10.10.11.112:3495 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3498 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3499 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3501 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3508 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3509 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3510 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3511 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3512 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3513 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3516 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3517 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:02 http-proxy[28804]: [10.10.11.112:3518 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:03 http-proxy[28804]: [10.10.11.112:3519 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:03 http-proxy[28804]: [10.10.11.112:3520 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:03 http-proxy[28804]: [10.10.11.112:3521 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:03 http-proxy[28804]: [10.10.11.112:3522 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:03 http-proxy[28804]: [10.10.11.112:3523 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)
05/22/80 23:03 http-proxy[28804]: [10.10.11.112:3526 111.111.111.111:81] Error while sending/receiving: Can't receive data from server (No route to host)

Attached Files

  • Attached File  log.txt   15.19KB   41 downloads


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 25 September 2007 - 04:15 PM

Download GMER from here:
http://www.gmer.net/files.php
Unzip it to the Desktop.
Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 25 September 2007 - 04:28 PM

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-09-25 16:29:00
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT 86482470 ZwConnectPort

---- Kernel code sections - GMER 1.0.13 ----

? nwfilter.sys The system cannot find the file specified.

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\system32\DRIVERS\rdpdr.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F7C4462E] nwfilter.sys
IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F7C4462E] nwfilter.sys
IAT \SystemRoot\system32\DRIVERS\mrxdav.sys[ntoskrnl.exe!FsRtlRegisterUncProvider] [F7C4462E] nwfilter.sys

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F772E1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F772E1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F772E454] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F772E1DE] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7721F4C] fltMgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F2175070] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F21753A0] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F2175300] SYMEVENT.SYS
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F2175300] SYMEVENT.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F1F86CCC] SYMTDI.SYS
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F1F86CCC] SYMTDI.SYS

Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [BAED2912] DLAIFS_M.SYS

---- Processes - GMER 1.0.13 ----

Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 2180

---- EOF - GMER 1.0.13 ----

#11 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 01 October 2007 - 04:01 PM

Need anything else from me?

#12 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 02 October 2007 - 02:54 PM

I'm really sorry you had to wait so long for a reply, but I didn't get my notification that you'd replied to this thread.
I can see no rootkits in your logs, so I don't think that there is anything to worry about.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#13 Brian 23

Brian 23
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 02 October 2007 - 09:13 PM

What about the hidden IEXPLORE process and that it is causing all of the internet traffic? The original problem from post 1 still exists.

#14 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 04 October 2007 - 04:22 PM

1. Quite a number of legitimate applications get hidden, so there is nothing wrong with this file being hidden.
2. I do not think that there is anything wrong with your computer trying to access this IP address. There is nothing that is going to have 111.111.111.111 as its IP, so I would assume it is something like a router test; it could just be a dummy IP to call out to check for connections.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 25 October 2007 - 04:08 AM

Since this issue appears to be resolved, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users