Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Probably A Rootkit


  • Please log in to reply
21 replies to this topic

#1 thelittleduck

thelittleduck

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 13 June 2008 - 07:30 PM

I am using Vista Home Premium. Quad intel core2 2.4 mhz chips. 3 gb ram. Avira AntiVirus(free). ZoneAlarm Firewall(free)

After a recent reboot Explorer keeps restarting. This happens when the desktop is visible. When I finally managed to open a program(revo uninstaller) Explorer stopped restarting. It would start up its restarting cycle if the desktop became visible again.

Looking for suspect files in the System32 folder I found the Gmer.exe file and ran it. It said their is some rootkit activity. Here is the log.

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-06-14 00:53:38
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x98A67706]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x98A67366]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x98A64974]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x98A6F388]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x98A67A3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x98A6D166]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x98A6D380]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x98A70B9E]
SSDT 8137D45C ZwCreateThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x98A67ACE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x98A64E54]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x98A6FC84]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x98A6FA00]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x98A6CF08]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x98A6FE34]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x98A64CEC]
SSDT 8137D448 ZwOpenProcess
SSDT 8137D44D ZwOpenThread
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x98A70810]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x98A70246]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x98A66FF0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x98A70650]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x98A67506]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x98A65042]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x98A6F706]
SSDT 8137D457 ZwTerminateProcess
SSDT 8137D452 ZwWriteVirtualMemory
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x98A6D59E]

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!ZwQueryLicenseValue + D41 81EA7BB9 1 Byte [ 06 ]
.text ntkrnlpa.exe!KeSetTimerEx + 370 81F089C4 4 Bytes [ 06, 77, A6, 98 ]
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81F08A48 4 Bytes [ 66, 73, A6, 98 ]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 81F08A60 4 Bytes [ 74, 49, A6, 98 ]
.text ntkrnlpa.exe!KeSetTimerEx + 41C 81F08A70 4 Bytes [ 88, F3, A6, 98 ]
.text ntkrnlpa.exe!KeSetTimerEx + 438 81F08A8C 12 Bytes [ 3E, 7A, A6, 98, 66, D1, A6, ... ]
.text ...
_PAGELK C:\Windows\system32\ntkrnlpa.exe entry point in "_PAGELK" section [0x81F3C4B0]
? System32\Drivers\spdw.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload 8EA3B46F 5 Bytes JMP 862931D8

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806946D2] \SystemRoot\System32\Drivers\spdw.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80694040] \SystemRoot\System32\Drivers\spdw.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806947FC] \SystemRoot\System32\Drivers\spdw.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806940BE] \SystemRoot\System32\Drivers\spdw.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069413C] \SystemRoot\System32\Drivers\spdw.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A3D92] \SystemRoot\System32\Drivers\spdw.sys

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [74B47BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [74B898C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [74B4D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74B3F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [74B47599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74B3E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B7B33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [74B4D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [74B4012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [74B40095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [74B371F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [74BCD810] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [74B675E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74B3DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [74B3668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [74B366BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[4184] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74B41E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18000_none_9e752e5ac9c619f3\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8478F1F8
Device \Driver\volmgr \Device\VolMgrControl 8478B1F8
Device \Driver\usbuhci \Device\USBPDO-0 860D3500
Device \Driver\usbuhci \Device\USBPDO-1 860D3500
Device \Driver\usbuhci \Device\USBPDO-2 860D3500
Device \Driver\usbehci \Device\USBPDO-3 86127500
Device \Driver\usbuhci \Device\USBPDO-4 860D3500
Device \Driver\usbuhci \Device\USBPDO-5 860D3500
Device \Driver\usbuhci \Device\USBPDO-6 860D3500
Device \Driver\volmgr \Device\HarddiskVolume1 8478B1F8
Device \Driver\usbehci \Device\USBPDO-7 86127500
Device \Driver\USBSTOR \Device\00000071 86A131F8
Device \Driver\volmgr \Device\HarddiskVolume2 8478B1F8
Device \Driver\USBSTOR \Device\00000072 86A131F8
Device \Driver\volmgr \Device\HarddiskVolume3 8478B1F8
Device \Driver\USBSTOR \Device\00000073 86A131F8
Device \Driver\volmgr \Device\HarddiskVolume4 8478B1F8
Device \Driver\USBSTOR \Device\00000074 86A131F8
Device \Driver\volmgr \Device\HarddiskVolume5 8478B1F8
Device \Driver\USBSTOR \Device\00000075 86A131F8
Device \Driver\volmgr \Device\HarddiskVolume6 8478B1F8
Device \Driver\volmgr \Device\HarddiskVolume7 8478B1F8
Device \Driver\netbt \Device\NetBt_Wins_Export 86CE4500
Device \Driver\Smb \Device\NetbiosSmb 86C2D500
Device \Driver\iScsiPrt \Device\RaidPort0 86097500
Device \Driver\netbt \Device\NetBT_Tcpip_{DB257911-34A9-4008-8037-0EE446F19064} 86CE4500
Device \Driver\usbuhci \Device\USBFDO-0 860D3500
Device \Driver\usbuhci \Device\USBFDO-1 860D3500
Device \Driver\usbuhci \Device\USBFDO-2 860D3500
Device \Driver\usbehci \Device\USBFDO-3 86127500
Device \Driver\usbuhci \Device\USBFDO-4 860D3500
Device \Driver\usbuhci \Device\USBFDO-5 860D3500
Device \Driver\netbt \Device\NetBT_Tcpip_{933AF3A4-302A-4942-BB87-8E5B8A4B6AE0} 86CE4500
Device \Driver\usbuhci \Device\USBFDO-6 860D3500
Device \Driver\usbehci \Device\USBFDO-7 86127500
Device \FileSystem\cdfs \Cdfs 8727C500
---- Processes - GMER 1.0.14 ----

Library C:\Program (*** hidden *** ) @ C:\Program [3972] 0x00400000
Library C:\Program (*** hidden *** ) @ C:\Program [3972] 0x10000000

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF4 0xD0 0x4A 0xAF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\ssmdrv\Products@Avira AntiVir Personal \x2013 Free Antivirus C:\Program Files\Avira\AntiVir PersonalEdition Classic\??????????????????????????????????????????????????????????????????????????
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF4 0xD0 0x4A 0xAF ...
Reg HKLM\SYSTEM\ControlSet003\Services\ssmdrv\Products@Avira AntiVir Personal \x2013 Free Antivirus C:\Program Files\Avira\AntiVir PersonalEdition Classic\??????????????????????????????????????????????????????????????????????????
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@CacheSizeInMB 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@CacheStatus 2
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@USBVersion 131072
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@ReadSpeedKBs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@WriteSpeedKBs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@PhysicalDeviceSizeMB 381543
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@RecommendedCacheSizeMB 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@HasSlowRegions 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@DoRetestDevice 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@DeviceStatus 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\,:@LastTestedTime 0x00 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@CacheSizeInMB 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@CacheStatus 2
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@USBVersion 131072
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@ReadSpeedKBs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@WriteSpeedKBs 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@PhysicalDeviceSizeMB 76316
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@RecommendedCacheSizeMB 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@HasSlowRegions 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@DoRetestDevice 0
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@DeviceStatus 1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\HH@LastTestedTime 0x00 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- EOF - GMER 1.0.14 ----


A file I uploaded to VirusTotal, WhoisCL.exe, was picked up as HackTool.DHO. I don't know if this is a false positive, but I don't know how I got the file.

Also, the icons keep changing to large icons. This is inspite me unchecking 'Use Large Icons' in the Customize Start Menu box.

Finally, yesterday I uninstalled Norton Internet Security 2008 using Symantecs removal tool.

BC AdBot (Login to Remove)

 


#2 thelittleduck

thelittleduck
  • Topic Starter

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 13 June 2008 - 11:50 PM

Explorer restarting seems to have been caused by a partially downloaded file. I had to take the drastic action of using O2moveit to delete the file because it was the only way I could get to the file without Explorer restarting. After using the clean-up function, Explorer isn't restarting anymore

After searching on Google it seems that the large icons may be a problem with Vista rather than malware.

Still worried about what the Gmer log showed though.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 AM

Posted 14 June 2008 - 09:44 AM

Certain files that are part of legitimate programs may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. WhoisCL.exe is related to WhoisCL, a command-line utility that allows you to easily get information about a registered domain. However, malware can also use this file as shown here.

Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.I f you intentionally installed this program, then the detection is probably a "False Positive". If you did not install it, then delete the file.

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

There is one file, I'd like to look at further. Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\Drivers\spdw.sys <- this file
Click "Open", then click the "Submit" button.
-- Post back with the results of the file analysis in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 thelittleduck

thelittleduck
  • Topic Starter

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 14 June 2008 - 10:30 AM

Thanks for your reply.

The 'C:\WINDOWS\System32\Drivers\spdw.sys' is either missing or hidden. I have looked for the file previously to upload it to VirusTotal.

I have the folder options set to show hidden files and folders, and have even unchecked 'Hide protected operating system files(Recommended)'.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:39 AM

Posted 14 June 2008 - 11:21 AM

double check, you might have missed one

Show Hidden Folders/Files
  • Open My Computer.
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck (untick) Hide extensions of known file types.
  • Uncheck (untick) Hide protected operating system files (Recommended).
  • Click Yes when prompted.
  • Click OK.
  • Close My Computer.

Chewy

No. Try not. Do... or do not. There is no try.

#6 thelittleduck

thelittleduck
  • Topic Starter

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 14 June 2008 - 12:28 PM

I have checked. They are already as you suggest switching them to Chewy.

Something I forgot to mention before, while scanning with MBAM yesterday and the day before, thte computer would restart and then report that it had recovered from a critical problem- a bluescreen.

I uninstalled MBAM, re-downloaded and updated the definitions, but the same thing happened.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 AM

Posted 14 June 2008 - 03:14 PM

thte computer would restart and then report that it had recovered from a critical problem- a bluescreen.

Can you provide the error code and any other information on the blue diagnostic screen? That will allow us to better trace the cause.

In Windows XP, the default setting is for the computer to reboot automatically when a fatal error or crash occurs. You may not see the error code because the computer reboots too fast. However, you should be able to see the error by looking in the Event Log. Read "How To Use the Event Viewer Applet".

An alternative is to turn off the automatic reboot feature so you can actually see the error code/STOP Message when it happens - this is also known as the Blue Screen Of Death (BSOD).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 thelittleduck

thelittleduck
  • Topic Starter

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 14 June 2008 - 07:01 PM

Here is what I hope is the correct Event Log report.

Log Name: System
Source: EventLog
Date: 11/06/2008 21:22:41
Event ID: 6008
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: flag
Description:
The previous system shutdown at 21:19:50 on 11/06/2008 was unexpected.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="EventLog" />
<EventID Qualifiers="32768">6008</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2008-06-11T20:22:41.000Z" />
<EventRecordID>84618</EventRecordID>
<Channel>System</Channel>
<Computer>flag</Computer>
<Security />
</System>
<EventData>
<Data>21:19:50</Data>
<Data>11/06/2008</Data>
<Data>
</Data>
<Data>
</Data>
<Data>7795</Data>
<Data>
</Data>
<Data>
</Data>
<Binary>D807060003000B00150013003200AF03D807060003000B00140013003200AF033C0000003C000000000000000000000000000000000000000100000000000000</Binary>
</EventData>
</Event>

Binary data:


In Words

0000: 000607D8 000B0003 00130015 03AF0032
0008: 000607D8 000B0003 00130014 03AF0032
0010: 0000003C 0000003C 00000000 00000000
0018: 00000000 00000000 00000001 00000000


In Bytes

0000: D8 07 06 00 03 00 0B 00 .......
0008: 15 00 13 00 32 00 AF 03 ....2..
0010: D8 07 06 00 03 00 0B 00 .......
0018: 14 00 13 00 32 00 AF 03 ....2..
0020: 3C 00 00 00 3C 00 00 00 <...<...
0028: 00 00 00 00 00 00 00 00 ........
0030: 00 00 00 00 00 00 00 00 ........
0038: 01 00 00 00 00 00 00 00 ........


Here is the 'Problem reports and solutions' log.

Product
Windows

Problem
Shut down unexpectedly

Date
11/06/2008 21:24

Status
Not Reported

Problem signature
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.3
Locale ID: 2057

Files that help describe the problem (some files may no longer be available)
Mini061108-01.dmp
sysdata.xml
Version.txt

Extra information about the problem
BCCode: 1000007e
BCP1: C0000005
BCP2: 00000000
BCP3: 8AFC3798
BCP4: 8AFC3494
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1


The Event Viewer is very confusing, so I hope i've used it right.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 AM

Posted 14 June 2008 - 10:15 PM

Registry troubleshooting

A power failure or some other unexpected shutdown event may cause a corrupted registry hive. To determine whether this is the cause of the issue, look for event ID 6008 entries. Event ID 6008 entries indicate that there was an unexpected shutdown...


Also see "Examining Errors".

Error Message: "The system has recovered from a serious error.
C:\Windows\Minidump020404-01.dmp
C:\Docume~1\Darle~1\Locals~1\Temp\Wer5E.tmp.diroo\sysdata.xml"

Solution: This error message reveals a problem with a memory dump (an inventory of the contents of computer memory; sometimes referred to as a minidump). It seems the OS created a memory dump file but forgot about it, so it's attempting to create the file again. The resulting conflict leads to a serious error and the sudden system meltdown.

The minidump error is sometimes associated with an outdated video driver (a program that facilitates communication between a hardware component and the rest of the system), so one potential solution is to download a driver update for the video card...


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:39 AM

Posted 14 June 2008 - 11:40 PM

Windows 6.0.6001 Service Pack 1


Often a service pack installed on a computer with outdated drives will result in stabity issues
Chewy

No. Try not. Do... or do not. There is no try.

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:39 AM

Posted 15 June 2008 - 12:01 AM

This is a little tricky but if you run out of ideas we could try an online analysis

Please Run the PCPitstop Full Tests, here:
http://www.pcpitstop.com/pcpitstop/default.asp
Register and create a password
Accept the ActiveX component to allow your machine to run the Full Tests
Registering and accepting the ActiveX are both SAFE and FREE.
Full Tests is the first item in the left hand column of that page.

The Full Tests take less than 5 minutes for most machines.
Once you have your Results, please post the TechExpress Link back here into this thread for review.
TechExpress is the last item on the list in the yellow box in upper right area of any Results page.
Post the entire URL link information back here into this Forum thread.

Since you are running a Vista OS, please open an instance of IE by right-clicking on IE icon and selecting "Run As Administrator"
Doing so will allow you to take advantage of all the features of the PCPitstop Full Tests.
(Be sure to "close" that same instance of IE after you have completed the Full Tests. For security reasons you should never do "general browsing" with your operating system configured as "run as administrator".


Chewy

No. Try not. Do... or do not. There is no try.

#12 thelittleduck

thelittleduck
  • Topic Starter

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 15 June 2008 - 06:21 AM

Here is what I hope is the correct pcpitstop linl.

http://www.pcpitstop.com/betapit/sec.asp?conid=20488270

I am going to upate the video card driver.

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:39 AM

Posted 15 June 2008 - 08:20 AM

Well your security is well done, besides for a possible video driver issue I would make sure my motherboard drivers are all up to date, watch the fragmentation and consider uninstalling that Klite codec pack

I have seen a lot of stranges issues with premium ram on newer motherboards
Chewy

No. Try not. Do... or do not. There is no try.

#14 thelittleduck

thelittleduck
  • Topic Starter

  • Members
  • 910 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pond
  • Local time:11:39 AM

Posted 17 June 2008 - 09:56 PM

I've uninstalled the klite pack and updated any drivers that needed updating.

A file I've just uploaded to VirusTotal showed that something may be wrong with it.


ClamAV 0.93.1 2008.06.18 Hacktool.Blackout-2

Ikarus T3.1.1.26.0 2008.06.18 Virus.Win32.AutoRun.pc

NOD32v2 3195 2008.06.17 archive damaged

Rising 20.49.12.00 2008.06.17 Trojan.Win32.Autorun.ael

VBA32 3.12.6.7 2008.06.17 Worm.Win32.AutoIt.u


Probably being paranoid again.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 AM

Posted 18 June 2008 - 08:24 AM

What is the specific file name associated with this malware threat and where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users