Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/kryptik.gh trojan


  • Please log in to reply
12 replies to this topic

#1 fixmeplz

fixmeplz

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 February 2009 - 02:50 PM

hello all,

i have the 'win32/kryptik.GH trojan' witch i think is also the RECYCLER virus...but i could be, and probably am completely wrong.
i have ESET NOD 32 antivirus. when i run a scan it finds this trojan/virus, but when i rerun it, it finds the same virus so i am presuming that it can't delete it.
i am fairly sure that the trojan/virus is preventing ESET from updating and the same problem occurs when i try and update windows defender, is this possible?
i have a C & D hard drives and have the 'win32/kryptik.GH trojan' on both. i am 99% sure i got the virus from my housemates USB stick and now have it on two of my usb's. i have tried formatting the usb sticks but even that does not delete it.

i have taken screenshots of my antivirus results but can't work out how to upload/attach them

please help

cheers

k

BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 06 February 2009 - 04:43 PM

Hello.

Let's see what we can find.

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Create and Run Batch Script
  • Copy the following into a notepad (Start>Run>"notepad"). Do not copy the word "code".
    @Echo off
    
    reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2" /s >Log.txt
    start notepad log
    del %0
  • Click File, then Save As... .
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input look.bat
  • Hit OK.
When done properly, the icon should look like Posted Image.

Double click look.bat. If you are using Windows Vista, right click the icon and select "Run as Administrator".. Notepad will then open. Post the contents of that in your next reply.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 fixmeplz

fixmeplz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 06 February 2009 - 07:39 PM

hello extremeboy,

thank you for your rapid response. i have tried to follow the steps given but without success.
it won't let me Download and Run FlashDisinfector as my ESET terminated the connection and quarantined it as it says "probably a variant of Win32/Agent trojan"....i once managed to download the file but when i try an run it, a error message appears saying "some installation files are corrupt. please download a fresh copy and retry the installation".

this message appears in the WinRAR self-extracting archive

Extracting Flash_Disinfector.cmd
Extracting nircmd.exe
Extracting Drives.vbs
Extracting vfind.exe
Extracting pv.exe
CRC failed in pv.exe
Unexpected end of archive

i also tried to move onto step two and download Malwarebytes Anti-Malware. i managed to download and install but it cannot update or could i do it manually. even so, i ran Malwarebytes Anti-Malware with out the update but i could not locate anything.

any further assistance would be much appreciated. :thumbsup:

cheers

k

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 06 February 2009 - 08:10 PM

Hello.

In this case please temporarily disable your ESET anti-virus when downloading it and running it. Refer to this page, if you are unsure how to disable it. Re-enable it once you have finish running flash-drive disinfector. Could you answer me the following question: Why are you extracting the file? Just simply double click on it to run it. If the package is corrupt, re-download it.

Run flash-drive disinfector and the batch script I mentioned in my previous post.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 fixmeplz

fixmeplz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 07 February 2009 - 04:50 PM

hello again extremeboy,

after much issues and the aid of a second party laptop and skype i have manage to complete the tasks you set

this is the log form Malwarebytes:

Malwarebytes' Anti-Malware 1.33
Database version: 1736
Windows 5.1.2600 Service Pack 3

07/02/2009 20:42:47
mbam-log-2009-02-07 (20-42-47).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)
Objects scanned: 168944
Time elapsed: 58 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\aquaplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a58b2a41-3aa7-4fbf-93ff-e279189169c6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a58b2a41-3aa7-4fbf-93ff-e279189169c6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{a58b2a41-3aa7-4fbf-93ff-e279189169c6}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.39,85.255.112.40 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\gaopdxpyxmtbow.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\RECYCLER\S-7-6-16-100020226-100018098-100013592-1825.com (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\tempo-197375.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\tempo-197671.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxiyyvekxj.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxkmxdompj.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxltfaiqqu.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxmyriplyx.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxnqodjkwn.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxnsmlgido.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxptxujotr.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxudoymevn.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxuoyenhtp.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\gaopdxxrhdkmrg.sys (Trojan.Agent) -> Quarantined and deleted successfully.


--------------------------------------------------------------------------------------------------------------------------------


and this is the log from the "Create and Run Batch Script"


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF002000000009000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\_Autorun

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\_Autorun\Action
<NO NAME> REG_SZ Run U3 Launchpad

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\_Autorun\DefaultIcon
<NO NAME> REG_SZ G:\LaunchU3.exe,0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H
BaseClass REG_SZ Drive

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c84-afda-11dd-9d90-0019db299323}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008020000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c8d-afda-11dd-9d90-0019db299323}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000100000008070000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c8d-afda-11dd-9d90-0019db299323}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c8d-afda-11dd-9d90-0019db299323}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c8d-afda-11dd-9d90-0019db299323}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05cab6e3-5347-11dd-9d09-0019db299323}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008010000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05cab6e3-5347-11dd-9d09-0019db299323}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05cab6e3-5347-11dd-9d09-0019db299323}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05cab6e3-5347-11dd-9d09-0019db299323}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14219fc4-4b82-11dd-94ac-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCF0101005F5FEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00200000000C000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14219fc5-4b82-11dd-94ac-806d6172696f}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FCF5F5F5F5FCFCF5F5F5FCFCFCF5F5F5FCFCFCF5F5F5FCFCFCF5F5F5FCF0100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF006000000010000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14219fc6-4b82-11dd-94ac-806d6172696f}
BaseClass REG_SZ Drive
_LabelFromReg REG_SZ Main Local Disk

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14219fc7-4b82-11dd-94ac-806d6172696f}
BaseClass REG_SZ Drive
_LabelFromReg REG_SZ Mulitmedia Local Disk

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2323d66a-6ea9-11dd-9d23-0019db299323}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F005F5F5F5F5FCFCF5F5F5F5F010100EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000008010000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2323d66a-6ea9-11dd-9d23-0019db299323}\shell
<NO NAME> REG_SZ None

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2323d66a-6ea9-11dd-9d23-0019db299323}\shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2323d66a-6ea9-11dd-9d23-0019db299323}\shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}

_____________________________________________________________________________________


i have been able to update windows defender but it finds nothing when i run a scan. i think ESET has now updated but it still cant delete
this is what my ESET NOD32 finds when i run a scan


C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp30C1.tmp - a variant of Win32/Kryptik.GH trojan
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp32D8.tmp - a variant of Win32/Kryptik.GH trojan
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp39C5.tmp - a variant of Win32/Kryptik.GH trojan
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp8.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\1682375.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\196390.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\22929296.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\2633234.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\36891218.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\4428234.tmp - a variant of Win32/Kryptik.GH trojan
C:\WINDOWS\Temp\4636296.tmp - a variant of Win32/Kryptik.GH trojan
D:\RECYCLER\S-7-6-16-100020226-100018098-100013592-1825.com - a variant of Win32/Kryptik.GH trojan


i think i can find the location of the trojan/virus.is this of any use?

cheers

k

#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 07 February 2009 - 06:47 PM

Hello.

Looks like there are some rootkits involved in here..

Download and Run ATFCleaner

Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.

This program is for XP and Windows 2000 only.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
If you use Firefox browser also...
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser also...
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Download and Run OTMoveIT3
  • Please download OTMoveIt3 by OldTimer and save it to your desktop. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp30C1.tmp 
    C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp32D8.tmp
    C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp39C5.tmp 
    C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp8.tmp 
    C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\
    C:\WINDOWS\Temp\1682375.tmp 
    C:\WINDOWS\Temp\196390.tmp 
    C:\WINDOWS\Temp\22929296.tmp
    C:\WINDOWS\Temp\2633234.tmp 
    C:\WINDOWS\Temp\36891218.tmp 
    C:\WINDOWS\Temp\4428234.tmp 
    C:\WINDOWS\Temp\4636296.tmp 
    C:\WINDOWS\Temp\
    C:\RECYCLER\
    D:\RECYCLER\
    E:\RECYCLER\
    F:\RECYCLER\
    G:\RECYCLER\
    H:\RECYCLER\
    :reg
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c8d-afda-11dd-9d90-0019db299323}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05cab6e3-5347-11dd-9d09-0019db299323}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14219fc4-4b82-11dd-94ac-806d6172696f}]
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2323d66a-6ea9-11dd-9d23-0019db299323}]
    :commands
    [EmptyTemp]
    [Reboot]
  • Click the large Posted Image button.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
Note:If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Tell me what problems you still have in addition to the logs I requested before.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Blokeski

Blokeski

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 07 February 2009 - 08:19 PM

Hi,

Having the exact same problem here. My Windows Update goes to a Google Page Not Found. I cannot update any AV/Malware programs. Followed the above instructions. Rootkit program found this.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-08 01:18:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB811887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8118C10]

Code 87251130 ZwEnumerateKey
Code 8A6FBD98 ZwFlushInstructionCache
Code 8A605D60 ZwQueryValueKey
Code 8721F77E IofCallDriver
Code 87224116 IofCompleteRequest

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 8721F783
.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 8722411B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805B6812 5 Bytes JMP 8A6FBD9C
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 5 Bytes JMP 8A605D64
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 5 Bytes JMP 87251134

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[804] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Program Files\Webroot\Washer\WasherSvc.exe[2492] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes [ B3, E6, 87, 83 ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxdpmetfyy.sys (*** hidden *** ) B52AF000-B52D9000 (172032 bytes)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\drivers\gaopdxdpmetfyy.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdpmetfyy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdpmetfyy.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxulqbrpaf.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdpmetfyy.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdpmetfyy.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxulqbrpaf.dll

---- EOF - GMER 1.0.14 ----


Any help would be grateful as this is driving me effing nuts. I think it has installed from my USB drive - but I can't track it down to get rid.

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 07 February 2009 - 08:37 PM

Hello Blokeski.

To avoid confusion for me and fixmeplz, please start another topic in this forum. You can link to this thread if you wish, but do not follow the instructions I give to fixmeplz because it may not be the same for everyone.

BTW, you have a rootkit infection present here, may be best to format/reinstall since your computer is compromised already. Do not post back to this topic, as this is fixmeplz's topic, please start your own topic.

Thank you for understanding.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 fixmeplz

fixmeplz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 08 February 2009 - 12:07 AM

hello hello Extremeboy,

ok the results from ATFCleaner are:

========== FILES ==========
File/Folder C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp30C1.tmp not found.
File/Folder C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp32D8.tmp not found.
File/Folder C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp39C5.tmp not found.
File/Folder C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\tmp8.tmp not found.
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\~nsu.tmp moved successfully.
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\{F773733F-6D49-476D-B1DD-4F37A83250E0}\Disk1 moved successfully.
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\{F773733F-6D49-476D-B1DD-4F37A83250E0} moved successfully.
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\{EDCDCEF5-F3D3-449B-B41C-0B549BDE07B5} moved successfully.
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\{BBB1B662-ED68-44E8-A17B-3B6D675470CC}\{12E75B98-8463-4C1F-8DDA-F6CF31566A55} moved successfully.
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp\{BBB1B662-ED68-44E8-A17B-3B6D675470CC} moved successfully.
Folder move failed. C:\Documents and Settings\Keiran Camilo\Local Settings\Temp scheduled to be moved on reboot.
File/Folder C:\WINDOWS\Temp\1682375.tmp not found.
File/Folder C:\WINDOWS\Temp\196390.tmp not found.
File/Folder C:\WINDOWS\Temp\22929296.tmp not found.
File/Folder C:\WINDOWS\Temp\2633234.tmp not found.
File/Folder C:\WINDOWS\Temp\36891218.tmp not found.
File/Folder C:\WINDOWS\Temp\4428234.tmp not found.
File/Folder C:\WINDOWS\Temp\4636296.tmp not found.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\XBUYYFPS moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\V2JFPSSS moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\Q4TYU9JJ moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\44JJFWBH moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5 moved successfully.
C:\WINDOWS\Temp\Temporary Internet Files moved successfully.
C:\WINDOWS\Temp\Patcher3580 moved successfully.
Folder move failed. C:\WINDOWS\Temp scheduled to be moved on reboot.
C:\RECYCLER\S-1-5-21-329068152-1708537768-1417001333-1004 moved successfully.
C:\RECYCLER moved successfully.
D:\RECYCLER\S-1-5-21-329068152-1708537768-1417001333-1004 moved successfully.
D:\RECYCLER moved successfully.
Folder E:\RECYCLER not found.
Folder F:\RECYCLER not found.
Folder G:\RECYCLER not found.
Folder H:\RECYCLER not found.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\H\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{03ff5c8d-afda-11dd-9d90-0019db299323}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05cab6e3-5347-11dd-9d09-0019db299323}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{14219fc4-4b82-11dd-94ac-806d6172696f}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2323d66a-6ea9-11dd-9d23-0019db299323}\\ deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\etilqs_66zeFbPdK8cXRCasQAVt scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\etilqs_66zeFbPdK8cXRCasQAVt-journal scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\etilqs_a5T6uFFbWiEjviSBTMxO scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\~DF6004.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\~DF61DF.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\TMP000000388880A3CBDC1B6F82 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\TMP000000D5D286CE4F81B0FF20 scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02082009_024543

Files moved on Reboot...
C:\Documents and Settings\Keiran Camilo\Local Settings\Temp moved successfully.
C:\WINDOWS\Temp moved successfully.
File C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\etilqs_66zeFbPdK8cXRCasQAVt not found!
File C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\etilqs_66zeFbPdK8cXRCasQAVt-journal not found!
File C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\etilqs_a5T6uFFbWiEjviSBTMxO not found!
File C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\~DF6004.tmp not found!
File C:\DOCUME~1\KEIRAN~1\LOCALS~1\Temp\~DF61DF.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\TMP000000388880A3CBDC1B6F82 not found!
File C:\WINDOWS\temp\TMP000000D5D286CE4F81B0FF20 not found!



_______________________________________________________________________________________________

for GMER the result is:


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-08 03:12:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT spat.sys ZwCreateKey [0xB9EAB0E0]
SSDT spat.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT spat.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT spat.sys ZwOpenKey [0xB9EAB0C0]
SSDT spat.sys ZwQueryKey [0xB9EC9108]
SSDT spat.sys ZwQueryValueKey [0xB9EC8F88]
SSDT spat.sys ZwSetValueKey [0xB9EC919A]

INT 0x62 ? 8A414BF8
INT 0x64 ? 8A1CBF00
INT 0x74 ? 8A1CBF00
INT 0x82 ? 8A414BF8
INT 0x84 ? 8A1CBF00
INT 0xB4 ? 8A414BF8
INT 0xB4 ? 8A414BF8
INT 0xB4 ? 8A1CBF00
INT 0xB4 ? 8A1CBF00
INT 0xB4 ? 8A414BF8

---- Kernel code sections - GMER 1.0.14 ----

? spat.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B95128AC 5 Bytes JMP 8A1CB4E0
.text audyej4o.SYS B9495384 1 Byte [ 20 ]
.text audyej4o.SYS B9495386 35 Bytes [ 00, 68, 00, 00, 00, 00, 00, ... ]
.text audyej4o.SYS B94953AA 24 Bytes [ 00, 00, 20, 00, 00, E0, 00, ... ]
.text audyej4o.SYS B94953C4 3 Bytes [ 00, 00, 00 ]
.text audyej4o.SYS B94953C9 1 Byte [ 00 ]
.text ...

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1676] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] spat.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] spat.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] spat.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] spat.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] spat.sys
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!KfAcquireSpinLock] 000000AD
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!READ_PORT_UCHAR] 000000D4
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!KeGetCurrentIrql] 000000A2
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!KfRaiseIrql] 000000AF
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!KfLowerIrql] 0000009C
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!HalGetInterruptVector] 000000A4
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!HalTranslateBusAddress] 00000072
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!KeStallExecutionProcessor] 000000C0
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!KfReleaseSpinLock] 000000B7
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 000000FD
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!READ_PORT_USHORT] 00000093
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000026
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[HAL.dll!WRITE_PORT_UCHAR] 00000036
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[WMILIB.SYS!WmiSystemControl] 000000F7
IAT \SystemRoot\System32\Drivers\audyej4o.SYS[WMILIB.SYS!WmiCompleteRequest] 000000CC

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A4131F8

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\sptd \Device\214603608 spat.sys
Device \Driver\usbuhci \Device\USBPDO-0 8A1CD1F8
Device \Driver\usbuhci \Device\USBPDO-1 8A1CD1F8
Device \Driver\usbuhci \Device\USBPDO-2 8A1CD1F8
Device \Driver\usbuhci \Device\USBPDO-3 8A1CD1F8
Device \Driver\PCI_PNP6108 \Device\00000047 spat.sys
Device \Driver\usbehci \Device\USBPDO-4 8A0391F8

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A3A41F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A3A41F8
Device \Driver\Cdrom \Device\CdRom0 8A08B1F8
Device \Driver\Cdrom \Device\CdRom1 8A08B1F8
Device \Driver\Cdrom \Device\CdRom2 8A08B1F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 898401F8
Device \Driver\NetBT \Device\NetbiosSmb 898401F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{A58B2A41-3AA7-4FBF-93FF-E279189169C6} 898401F8
Device \Driver\usbuhci \Device\USBFDO-0 8A1CD1F8
Device \Driver\usbuhci \Device\USBFDO-1 8A1CD1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 897FD1F8
Device \Driver\usbuhci \Device\USBFDO-2 8A1CD1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 897FD1F8
Device \Driver\usbuhci \Device\USBFDO-3 8A1CD1F8
Device \Driver\usbehci \Device\USBFDO-4 8A0391F8
Device \Driver\Ftdisk \Device\FtControl 8A3A41F8
Device \Driver\audyej4o \Device\Scsi\audyej4o1Port4Path0Target0Lun0 8A00D1F8
Device \Driver\audyej4o \Device\Scsi\audyej4o1 8A00D1F8
Device \FileSystem\Cdfs \Cdfs 89BB6500

---- Services - GMER 1.0.14 ----

Service system32\drivers\gaopdxkmxdompj.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkmxdompj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkmxdompj.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxpyxmtbow.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x98 0xEC 0xFF 0x7B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCA 0x92 0x37 0xBB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x65 0xDF 0x0F 0xCE ...
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkmxdompj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkmxdompj.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxpyxmtbow.dll
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x98 0xEC 0xFF 0x7B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xCA 0x92 0x37 0xBB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x65 0xDF 0x0F 0xCE ...

---- EOF - GMER 1.0.14 ----

--------------------------------------------------------------------------------------------

i have also re-run my ESET antivirus and have found NOTHING!!!!!!! :thumbsup: .............. is there anything else i can do?run to double check????
you are a legend!!!!!!!!.......what can and should i do in the future to prevent such a thing happening again??? i am worried to attach my usbs (3 of them) as they may still have the virus on them...i used the Flash_Disinfector.exe by sUBs one all 3. are they all clean?....if not will they reinfect my computer if i reattach them and is there any way of safely checking them?

i hope you sleep well coz i will tonight

cheers

k

#10 fixmeplz

fixmeplz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 08 February 2009 - 08:24 AM

hello Extremeboy,

i have just relooked through my computer and have again found the 'RECYCLER' folder on both my C and D drives. i have rerun ESET, Windows Defender and Malwarebytes but all are clean (except ESET still thinks FlashDisinfector could be a trojan)

this is the file name of the file inside the 'RECYCLER' folder (it has the recycle bin image):

S-1-5-21-329068152-1708537768-1417001333-1004

and this is the file name for the one in my D drive:

S-1-5-21-329068152-1708537768-1417001333-1004

are these file malicious?

cheers buddy

k

Edited by fixmeplz, 08 February 2009 - 10:34 AM.


#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 08 February 2009 - 03:01 PM

Hello again.

You have a rootkit involved here like Blokeski. Most experts believe you should format/reinstall now that your comptuer is compromised.

this is the file name of the file inside the 'RECYCLER' folder (it has the recycle bin image):

S-1-5-21-329068152-1708537768-1417001333-1004

and this is the file name for the one in my D drive:

S-1-5-21-329068152-1708537768-1417001333-1004

are these file malicious?

No. They are your Recycling bin, they are not malicious. No need to worry about that. Everyone has that folder and that file name but the malware was placed in there so we needed to remove it, but after a while those folders will come back. :thumbsup:

if not will they reinfect my computer if i reattach them and is there any way of safely checking them?

They should be removed now. Good way to defend these infections is by disabling autorun.

Disable Autorun on Flash-Drive/Removable Drives

When is AUTORUN.INF really an AUTORUN.INF?

USB worms work by creating a file called AUTORUN.INF on the root of USB drives. These INF files then use Autorun or Autoplay (not the same thing!) to execute themselves either when the stick is inserted, or more commonly, when the user double-clicks on the USB drive icon from My Computer (Windows Explorer)...


Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. Read USB-Based Malware Attacks and Please disable Autorun asap!.

If using Windows Vista, please refer to:
"Disable AutoPlay in Windows Vista"
"Preventing AutoPlay with Local Group Policy Editor or AutoPlay options panel"

Note: When Autorun is disabled, double-clicking a drive which has autorun.inf in its root directory may still activate Autorun so be careful.

Better if you start another topic in the HJT-Malware Removal forum if you do not want to format/reinstall. Follow this guide before posting a Hijackthis log. Also, it would be best if you Format/Reinstall as your computer is already compromised. Disconnect from the internet, and it would be better if you reply using another computer if you have one instead of using this computer. Change any passwords using a clean machine espically if you do any banking on the web. Let me know if there were any trobule when running DDS scan. Do not post the log here but in the HJT-Malware Removal forum.

Good luck.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 fixmeplz

fixmeplz
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:14 PM

Posted 09 February 2009 - 07:56 PM

hello Extremeboy,

firstly i would like you to know my appreciation for all the time you have given to help me....so, thank you very much. :thumbsup:

i fully intend to reformat my computer. i just have a final two questions. firstly, will my usb's be clean (and if not, will the fact that i have disabled the autorun function allow me to safely scan and re-format them). secondly, is my computer safe to attach an external hard drive (i have a lot of files, photo's etc. i would like to copy) so i won't transfer it to my re-formatted computer. (i know its a third question but it relates to the latter one. is there any safe and large online storage facility that you can recommend)

again, thank you very much for all your help :flowers:

cheers

k

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:14 AM

Posted 09 February 2009 - 08:22 PM

It's my pleasure on helping others :thumbsup:

firstly, will my usb's be clean (and if not, will the fact that i have disabled the autorun function allow me to safely scan and re-format them).

Yes. Make sure autorun is disabled and then you can format your flash-drive/removable drives. Right-click and select Format.

secondly, is my computer safe to attach an external hard drive (i have a lot of files, photo's etc. i would like to copy) so i won't transfer it to my re-formatted computer.

Did you run flash-drive disinfector? If you did then that's good, if not do so know with your removable drive plugged in. Make sure autorun is also disabled before plugging it in. After you know all those are done then you can plug in your flash-drive. However, in my opinion I still think a some spare CDs and a CD Burner is the safest way to transfer data files, pictures etc...

When you do backup make sure you do not backup any .zip packages, executables such as: .exe, .bat, .scr, .com etc...

is there any safe and large online storage facility that you can recommend

To be honest, I do not know any right now. Depending on the space you need, I don't know which one will fit you. I personally don't trust online storage because I think it's a privacy issue wiht myself, but if it's fine for you, by all means you can do it. A big External hard-drive or some spare CD's is what I use most often when backing up data's/important files.

Hope that helps and good luck on the format :flowers:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users