Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Driver Detected As A Rootkit.


  • Please log in to reply
14 replies to this topic

#1 yaman

yaman

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 13 September 2008 - 12:44 PM

HI,
i don't know if this is an issue or not, but every time AVG runs a scan it detects a hidden driver in windows\system32\drivers. The file that it detects changes every time i ask AVG to remove it. it always has 8 characters with a .sys extension ex: al0278od.sys or 23l4gt89.sys. i tried looking for the file and i did not find it even after disabling the "hide protected system files" in folder options.
I ran a Spybot ver1.6, which has rootkit detection capability and it did not detect anything other than the usual cookies.
I ran a Ad-aware 2008 which did not detect anything other than cookies.

My OS is windows XP Media Center with sp2
the AVG version is Ver8.

I would like to know if this is realy something to be concerned about. if so what do i do to take care of the issue.

Thank you for your dedicated help.

cheers,
Posted Image

BC AdBot (Login to Remove)

 


m

#2 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 13 September 2008 - 07:18 PM

Let's start with a Malwarebytes scan...

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 yaman

yaman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 13 September 2008 - 10:12 PM

Hi,

I ran the software as I was waiting for a reply.

here is the requested result:
Malwarebytes' Anti-Malware 1.28
Database version: 1147
Windows 5.1.2600 Service Pack 2

13/09/2008 6:01:30 PM
mbam-log-2008-09-13 (18-01-30).txt

Scan type: Quick Scan
Objects scanned: 68461
Time elapsed: 13 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



At first glance it did not pickup anything so should i still worry about an infection?

Let me know.

Thanks,
Posted Image

#4 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 13 September 2008 - 10:45 PM

Hmmm... let's try a quick online scan, and a rootkit detector

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Download Sophos Anti-rootkit & save it to your desktop.
Be sure to read the Sophos Anti-Rookit User Manual. A copy of this manual sarman.pdf can also be found inside the program folder after installation.
  • Double-click sarsfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now". Click Yes.
  • Make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click "Start scan".
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will be done when you restart your computer. Click "Restart Now".
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Note: If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically.

If both of these are ok, I will feel a lot better.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 yaman

yaman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 14 September 2008 - 11:47 AM

Hi,

here are both results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, September 14, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, September 13, 2008 23:20:00
Records in database: 1221843
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 139905
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 07:25:10

No malware has been detected. The scan area is clean.

The selected area was scanned.


And,


Sophos Anti-Rootkit Version 1.3.1 (data 1.08) © 2006 Sophos Plc
Started logging on 14/09/2008 at 12:31:21 PM
Stopped logging on 14/09/2008 at 12:40:46 PM

none of these came up with any kind of infection, am I home free?

Thanks again Rigel
Posted Image

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 14 September 2008 - 03:50 PM

With all the 0's showing up, I would think so.

I wish we could get a hold of the files that AVG is flagging. Does AVG still show an infection? See if these files are showing in quarantine.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 yaman

yaman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 14 September 2008 - 07:36 PM

Hi Rigel,

to answer your question, AVG still sees the hidden driver. even when i go about the removal of the file it comes back under a different name. you must know this already but when you remove a rootkit infection it prompt's you to reboot. Once the reboot is done i run the scan and the file is still there but under another name.
i did not save my restore point as i dont think the issue is solved yet. unless you tell me that the result maybe a false positive.

should i run the scan in safe mode?

let me know.

Thanks
Posted Image

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:51 PM

Posted 14 September 2008 - 07:41 PM

Yeah, I would try running the AVG scan in Safe Mode.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 14 September 2008 - 08:17 PM

No, I'm not ready to say that your problem is gone.

If there are no more problems or signs of infection you should Create a New Restore Point

. That was only intended if AVG was clear. AVG will not remove your rootkit. It just isn't robust enough. With the tools you have already run - all displaying 0's, we either have something that is a major issue that will have to be dealt with in the HJT forum, or we have a false positive.

I am going to consult with a malware expert on this one. I will get back to you as soon as possible.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#10 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 14 September 2008 - 09:26 PM

Hi yaman,

Question??? Are you using Daemon tools or Alcohol?

Here is our plan...

First, make sure you can see hidden system files.
Open My Computer
From the file menu at the top, Click Tools - Folder Options
The Folder Options window will open
Select the View tab
Make sure these items are selected: Display Contents of System Folders / Show Hidden Files and Folders
Make sure these items are not selected: Hide Extensions for Known File Types / Hide Protected Operating System Files.
Click the Apply to all folders button - also click Apply at the bottom of the window.
You can close this window now.
(After we are finished - You can reset these items if you wish)

Please scan with AVG again. (Do it the way you did before) DO NOT REMOVE THE FILE. Instead, browse to the location shown and see if the files are present. If they are, please submit them to www.virustotal.com, and get a report on the files. Post that report here.

Next,
Run a scan using gmer
Download from here: http://www.gmer.net/gmer.zip
Unzip it to its own folder.
Disconnect from the internet and temporarily shutdown your antivirus to prevent conflicts with gmer.
Also shutdown any apps or browser windows you may have open - The less things we have running, the less chance of a false positive.
Double click gmer.exe to run it.
Allow a driver - gmer.sys to install if asked.
You may get a warning at program start that there is rootkit activity and do you want a scan.
Click OK to run the scan.
If no warning - just click scan.
Let the scan finish.
Once done, Press Save.
In the new window that pops up, name the log and save it to a easily accessible place.
Press save.

Be sure to re-enable your Antivirus, and reconnect your internet - Post the log here.
Thanks,
rigel

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 yaman

yaman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 15 September 2008 - 07:31 PM

Hi yaman,

Question??? Are you using Daemon tools or Alcohol?


Hi Rigel,
to answer your question. I do use Daemon tools.

I did what you asked for the options to see hidden files and run AVG...i don't see the files that AVG as tagged or even something remotely similar.

I did run Gmer and here are the results:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-09-15 20:20:14
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT spzm.sys ZwCreateKey [0xB9EA80E0]
SSDT spzm.sys ZwEnumerateKey [0xB9EC6CA2]
SSDT spzm.sys ZwEnumerateValueKey [0xB9EC7030]
SSDT spzm.sys ZwOpenKey [0xB9EA80C0]
SSDT spzm.sys ZwQueryKey [0xB9EC7108]
SSDT spzm.sys ZwQueryValueKey [0xB9EC6F88]
SSDT spzm.sys ZwSetValueKey [0xB9EC719A]

INT 0x62 ? 89DE4BF8
INT 0x63 ? 89A43F00
INT 0x94 ? 89A43F00
INT 0xB4 ? 89DE4BF8
INT 0xB4 ? 89DE4BF8
INT 0xB4 ? 89A43F00
INT 0xB4 ? 89DE4BF8

---- Kernel code sections - GMER 1.0.14 ----

? spzm.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B942362C 5 Bytes JMP 89A434E0
.text a96hm3yf.SYS B92DA384 1 Byte [ 20 ]
.text a96hm3yf.SYS B92DA386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text a96hm3yf.SYS B92DA3AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text a96hm3yf.SYS B92DA3C4 3 Bytes [ 00, 00, 00 ]
.text a96hm3yf.SYS B92DA3C9 1 Byte [ 00 ]
.text ...

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spzm.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spzm.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spzm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spzm.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spzm.sys
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!KfAcquireSpinLock] 0A64D90F
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!READ_PORT_UCHAR] 046FD406
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!KeGetCurrentIrql] 1672C31D
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!KfRaiseIrql] 1879CE14
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!KfLowerIrql] 3248ED2B
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!HalGetInterruptVector] 3C43E022
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!HalTranslateBusAddress] 2E5EF739
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!KeStallExecutionProcessor] 2055FA30
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!KfReleaseSpinLock] EC01B79A
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] E20ABA93
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!READ_PORT_USHORT] F017AD88
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] FE1CA081
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[HAL.dll!WRITE_PORT_UCHAR] D42D83BE
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[WMILIB.SYS!WmiSystemControl] C83B99AC
IAT \SystemRoot\System32\Drivers\a96hm3yf.SYS[WMILIB.SYS!WmiCompleteRequest] C63094A5

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 89DE31F8
Device \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-0 89A2D500
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E541F8
Device \Driver\dmio \Device\DmControl\DmConfig 89E541F8
Device \Driver\dmio \Device\DmControl\DmPnP 89E541F8
Device \Driver\dmio \Device\DmControl\DmInfo 89E541F8
Device \Driver\usbuhci \Device\USBPDO-1 89A2D500
Device \Driver\usbuhci \Device\USBPDO-2 89A2D500
Device \Driver\usbuhci \Device\USBPDO-3 89A2D500
Device \Driver\usbehci \Device\USBPDO-4 89A2C500
Device \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{34625FA8-8D77-47C2-BE0D-B83F85B9C093} 89A93500
Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE51F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 89DE51F8
Device \Driver\Cdrom \Device\CdRom0 89AC01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{0FDF4C46-B3AE-4C5D-AE21-F3FEAB5E5824} 89A93500
Device \Driver\Cdrom \Device\CdRom1 89AC01F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89DE41F8
Device \Driver\atapi \Device\Ide\IdePort0 89DE41F8
Device \Driver\atapi \Device\Ide\IdePort1 89DE41F8
Device \Driver\atapi \Device\Ide\IdePort2 89DE41F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-10 89DE41F8
Device \Driver\sptd \Device\2542273890 spzm.sys
Device \Driver\Cdrom \Device\CdRom2 89AC01F8
Device \Driver\Cdrom \Device\CdRom3 89AC01F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E8FA14A8-01A4-40C2-B1C0-25C186BC9D82} 89A93500
Device \Driver\Cdrom \Device\CdRom4 89AC01F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89A93500
Device \Driver\NetBT \Device\NetbiosSmb 89A93500
Device \Driver\USBSTOR \Device\00000079 89987500
Device \Driver\PCI_PNP0140 \Device\0000004d spzm.sys
Device \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 89A2D500
Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 89A2D500
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 89A2D500
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89996500
Device \Driver\Tcpip \Device\IPMULTICAST avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-3 89A2D500
Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89996500
Device \Driver\usbehci \Device\USBFDO-4 89A2C500
Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Ftdisk \Device\FtControl 89DE51F8
Device \Driver\USBSTOR \Device\0000007f 89987500
Device \Driver\NetBT \Device\NetBT_Tcpip_{3C512671-C89D-429C-A287-2EC180B776B6} 89A93500
Device \Driver\a96hm3yf \Device\Scsi\a96hm3yf1Port3Path0Target3Lun0 89AF4500
Device \Driver\a96hm3yf \Device\Scsi\a96hm3yf1Port3Path0Target0Lun0 89AF4500
Device \Driver\a96hm3yf \Device\Scsi\a96hm3yf1Port3Path0Target2Lun0 89AF4500
Device \Driver\a96hm3yf \Device\Scsi\a96hm3yf1 89AF4500
Device \Driver\a96hm3yf \Device\Scsi\a96hm3yf1Port3Path0Target1Lun0 89AF4500
Device \FileSystem\Cdfs \Cdfs 89AF2500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB4 0x74 0xF5 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBA 0xA7 0xB7 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7E 0x33 0x7B 0xDD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xFF 0x53 0x81 0xA2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x8D 0x25 0x0E 0xFF ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0x8E 0xCE 0xE4 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB4 0x74 0xF5 0x02 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xBA 0xA7 0xB7 0x5C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x7E 0x33 0x7B 0xDD ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xFF 0x53 0x81 0xA2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x8D 0x25 0x0E 0xFF ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xF3 0x8E 0xCE 0xE4 ...

---- EOF - GMER 1.0.14 ----


I'll be waiting for your feedback

Thanks.
Posted Image

#12 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 15 September 2008 - 08:55 PM

I do use Daemon tools.


You are in the clear. AVG is detecting a file that is used by Daemon tools. The file names are random and are self deleting for copy protection.




:thumbsup: Special thanks to the angels of our HJT team! :flowers:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 yaman

yaman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 15 September 2008 - 10:26 PM

I'm glad to ear that my PC is not infected.
I will un-install daemon tools and see if AVG still picks up on that hidden file. If so i'll let you know.

Thanks for your help and time it was much appreciated.

Yaman

Edited by yaman, 16 September 2008 - 06:00 AM.

Posted Image

#14 yaman

yaman
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:51 AM

Posted 16 September 2008 - 05:51 PM

Hi Rigel,

it's confirmed. I uninstalled daemon tools and ran the AVG rootkits scan and it came out clean.

Thanks again for your help, patience and dedication.

Cheers.
Posted Image

#15 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:08:51 AM

Posted 16 September 2008 - 05:54 PM

From me, and the BC family - you are welcome :thumbsup:

Safe surfing!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users