Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects, Cmd.exe unaccessible, explorer crashes, Windows update freezes, etc.


  • Please log in to reply
13 replies to this topic

#1 SurStromming

SurStromming

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 26 April 2009 - 05:33 AM

Hello,

As you can see by the title I am having several problems but I believe they are all caused by the same malware.



Platform:

Windows XP SP3, "all" updates

F-Secure Internet Security 2008

Firefox 3.0.9 as preferred browser



The symptoms:

If I click on a google search result I am occasionally redirected away from the actual website to some other website usually an ad and I must go back to get the real site.

If I attempt to run Cmd.exe from the run dialog nothing appears and explorer crashes (the blue bar at the bottom goes away which I believe is indication of this) then when it reloads my tray bar is missing several of its components.

I have also tried to run cmd.exe from a file browser, but it will just not run. However, if I copy the file and rename it to foo.exe, then it runs just fine.

Windows update shows me a single high priority update (.NET Framework 3.5 Service Pack 1), but when I try to install it, it freezes.

Frequent "generic hos process" crashes caused by svchost.exe

As opposed to other people I have seen posting with similar problems, I have no problems accessing web sites belonging to antivirus companies, or bleepingcomputer.com.



Attempted fixes:

I ran ATF cleaner

F-Secure full scan, found nothing

Kaspersky online scan, found nothing

Malware Bytes Anti Malware, found nothing. Strangely, it could not update itself, so I had to download the latest database file manually.

Super Antispyware, found nothing

GMER.exe - I was not allowed to run the file, until I renamed it to something else. It ran all night, and I didn't see any warnings (does it write a log? where?) in the morning.

GooredFix, found nothing



What confuses me even more, is that my PC now seems to be ok! The most visible sign is that cmd.exe works again, and I also managed to run Windows update and install an update, and MBAM can update itself. Still, I'm worried that whatever malware I had is still lurking around inside my PC.

I would greatly appreciate if someone recognizes this problem and knows what caused it, and then suggests a way of checking/removing the specific thing.

Thanks in advance for any advice/suggestions/help!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 26 April 2009 - 07:53 AM

Let's run an online virus scan called Kaspersky or KAV for short

http://www.kaspersky.com/virusscanner

using Internet Explorer.

Please disable your resident Antivirus before performing the scan and re-enable it afterward.

Choose the online scanner option

1. At the main page. Press on "Accept". After reading the contents.
2. At the next window Select Update. Allow the Database to update.
Note: If prompted to run or update your Java, then follow the prompts to do so. Kaspersky requires Java to run.
3. Once the Database has finished, under the Scan icon Select My Computer to start the scan. The scan may take a few minutes to complete.
4. Select Scan Report.
5. If any threats were found they will appear in the report
6. Select "Save error report as"
Then in the file name just type in kaspersky
Under "save as type" select text .txt
Save it to your Desktop.

Please post the KAV scan report in your next reply.


after a reboot/restart

Please download and run Processexplorer


http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#3 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 26 April 2009 - 11:09 AM

Hello Chewy,

Thank you for your prompt response and for taking on my case!

Here is the requested info:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 26, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 26, 2009 14:30:02
Records in database: 2081023
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 162004
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:15:01

No malware has been detected. The scan area is clean.

The selected area was scanned.



===



Process PID CPU Description Company Name
System Idle Process 0 98.44
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 1832 Windows NT Session Manager Microsoft Corporation
csrss.exe 1932 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1960 Windows NT Logon Application Microsoft Corporation
services.exe 2008 Services and Controller app Microsoft Corporation
svchost.exe 400 Generic Host Process for Win32 Services Microsoft Corporation
CapabilityManager.exe 908 Capability Manager Popwire AB
NMIndexStoreSvr.exe 3620 Nero Home Nero AG
Generic.exe 5120 Generic Device Management Executable. Teleca Software Solutions
epmworker.exe 5648 CAPI_Worker Module Sony Ericsson Mobile Communications AB
svchost.exe 448 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 596 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 4456 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 864 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1020 Generic Host Process for Win32 Services Microsoft Corporation
aawservice.exe 1252 Ad-Aware Service Lavasoft
spoolsv.exe 496 Spooler SubSystem App Microsoft Corporation
scardsvr.exe 524 Smart Card Resource Management Server Microsoft Corporation
svchost.exe 564 Generic Host Process for Win32 Services Microsoft Corporation
PhotoshopElementsFileAgent.exe 644
DkService.exe 848 DKSERVICE.EXE Executive Software International, Inc.
fsgk32st.exe 900 F-Secure Anti-Virus Scanning Service F-Secure Corporation
fsgk32.exe 956 Gatekeeper Handler II F-Secure Corp.
fssm32.exe 3796 fssm32 F-Secure Corp.
FSMA32.EXE 948 F-Secure Management Agent F-Secure Corporation
FSMB32.EXE 1120 F-Secure Message Broker F-Secure Corporation
FCH32.EXE 1484 F-Secure Configuration Handler F-Secure Corporation
FAMEH32.EXE 520 F-Secure Alert and Management Extension Handler F-Secure Corporation
fsqh.exe 680 F-Secure Quarantine Handler F-Secure Corporation
fsav32.exe 4428 FSAV Handler F-Secure Corporation
openvpnas.exe 980
hsssrv.exe 1140 Hotspot Shield Helper Service AnchorFree Inc.
InCDsrv.exe 1212 1.56 incdsrv Nero AG
jqs.exe 1300 Java™ Quick Starter Service Sun Microsystems, Inc.
LSSrvc.exe 1432 LightScribe Service Hewlett-Packard Company
nTuneService.exe 1688 NVIDIA Access Manager NVIDIA
nvsvc32.exe 1708 NVIDIA Driver Helper Service, Version 163.71 NVIDIA Corporation
RichVideo.exe 932 RichVideo Module
mysqld.exe 2112
slim.exe 2180
svchost.exe 2224 Generic Host Process for Win32 Services Microsoft Corporation
SpySweeper.exe 2360 Spy Sweeper Engine Webroot Software, Inc. (www.webroot.com)
WLService.exe 2708 WLService GEMTEKS
WMP54Gv4.exe 5072 WMP54Gv4 Linksys
CALMAIN.exe 2824 Canon Camera Access Library 8 Canon Inc.
fsaua.exe 3788 F-Secure Automatic Update Agent F-Secure Corporation
fsdfwd.exe 3888 F-Secure Internet Shield daemon F-Secure Corporation
alg.exe 2292 Application Layer Gateway Service Microsoft Corporation
NMIndexingService.exe 3776 Nero Home Nero AG
lsass.exe 2020 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1768 Windows Explorer Microsoft Corporation
rundll32.exe 3352 Run a DLL as an App Microsoft Corporation
MagicPvt.exe 3388 MagicRotation Application Samsung Electronics, Inc.
daemon.exe 3456 Virtual DAEMON Manager DT Soft Ltd.
RTHDCPL.exe 3492 Realtek HD Audio Control Panel Realtek Semiconductor Corp.
iexplore.exe 672 Internet Explorer Microsoft Corporation
ctfmon.exe 2888 CTF Loader Microsoft Corporation
firefox.exe 1780 Firefox Mozilla Corporation
NBHGui.exe 1820 NBH Nero AG
InCD.exe 2300 InCD Nero AG
PDVDServ.exe 2480 PowerDVD RC Service Cyberlink Corp.
acrotray.exe 2776 AcroTray Adobe Systems Inc.
iTouch.exe 3308 iTouch Application Logitech Inc.
Application Launcher.exe 2376 Application Launcher Sony Ericsson Mobile Communications AB
FSM32.EXE 1276 F-Secure Settings and Statistics F-Secure Corporation
fsguidll.exe 180 F-Secure GUI component F-Secure Corporation
jusched.exe 1320 Java™ Platform SE binary Sun Microsystems, Inc.
GoogleToolbarNotifier.exe 2644 GoogleToolbarNotifier Google Inc.
NMBgMonitor.exe 3276 Nero Home Nero AG
NMBgMonitor.exe 3404 Nero Home Nero AG
msmsgs.exe 3184 Windows Messenger Microsoft Corporation
SEPCSuite.exe 3248 Sony Ericsson PC Suite Sony Ericsson Mobile Communications AB
DvzIncMsgr.exe 512 DataViz Update Checker DataViz, Inc.
Personal.exe 3580 Nexus Personal Technology Nexus AB
SlimTray.exe 1424
Hotsync.exe 4544 HotSyncŪ Manager Application PalmSource, Inc
procexp.exe 5756 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
fsus.exe 2896 F-Secure Automatic Update Agent - Run Upstreamer F-Secure Corporation
EM_EXEC.EXE 2704 Logitech Events Handler Application Logitech Inc.
MagicTune.exe 3740 MagicTune SAMSUNG



===



What do you think? Is there any hope?

#4 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 26 April 2009 - 11:20 AM

Hello again,

As I saw you recommending this in another post, I took the liberty of also scanning with RootRepeal, with the results below.

I thought that as long as I only scan and I don't change anything, there shouldn't be any harm done...

=====

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/26 18:16
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 00000047
Image Path: \Driver\00000047
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA8C8000 Size: 57344 File Visible: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA691000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xBAC30000 Size: 18720 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB4872000 Size: 138496 File Visible: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0xBAA28000 Size: 60800 File Visible: -
Status: -

Name: asyncmac.sys
Image Path: C:\WINDOWS\system32\DRIVERS\asyncmac.sys
Address: 0xB30F7000 Size: 14336 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA5C8000 Size: 98304 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000 Size: 0 File Visible: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAF5D000 Size: 3072 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBADD6000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB92D5000 Size: 63744 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xB9EF5000 Size: 62976 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA928000 Size: 53248 File Visible: -
Status: -

Name: ctoss2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
Address: 0xB9C92000 Size: 196608 File Visible: -
Status: -

Name: ctsfm2k.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
Address: 0xB9C6C000 Size: 155648 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA918000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xBA5E0000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xBADAC000 Size: 5888 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xB9EC5000 Size: 61440 File Visible: -
Status: -

Name: dtscsi.sys
Image Path: C:\WINDOWS\System32\Drivers\dtscsi.sys
Address: 0xB93C1000 Size: 303104 File Visible: -
Status: -

Name: dump_nvata.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xB46D0000 Size: 106496 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBADF6000 Size: 8192 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB49E5000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAFD1000 Size: 4096 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xB2CF7000 Size: 143744 File Visible: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xBAC58000 Size: 27392 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xBAA18000 Size: 44544 File Visible: -
Status: -

Name: flpydisk.sys
Image Path: C:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xBAB80000 Size: 20480 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xBA58E000 Size: 129792 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBADD4000 Size: 7936 File Visible: -
Status: -

Name: fsdfw.sys
Image Path: fsdfw.sys
Address: 0xBA948000 Size: 51072 File Visible: -
Status: -

Name: fsgk.sys
Image Path: C:\Program Files\F-Secure Internet Security\Anti-Virus\minifilter\fsgk.sys
Address: 0xB353E000 Size: 102400 File Visible: -
Status: -

Name: fshs.sys
Image Path: C:\Program Files\F-Secure Internet Security\HIPS\fshs.sys
Address: 0xB9325000 Size: 41184 File Visible: -
Status: -

Name: fsndis5.sys
Image Path: C:\WINDOWS\System32\drivers\fsndis5.sys
Address: 0xBAB40000 Size: 32768 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA606000 Size: 125056 File Visible: -
Status: -

Name: GTNDIS5.SYS
Image Path: C:\WINDOWS\system32\GTNDIS5.SYS
Address: 0xB2DEF000 Size: 15872 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB9BED000 Size: 163840 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xBAB90000 Size: 28672 File Visible: -
Status: -

Name: hpfxbulk.sys
Image Path: C:\WINDOWS\system32\drivers\hpfxbulk.sys
Address: 0xB4F1E000 Size: 9344 File Visible: -
Status: -

Name: HPFXGEN.SYS
Image Path: C:\WINDOWS\system32\drivers\HPFXGEN.SYS
Address: 0xBABC8000 Size: 20480 File Visible: -
Status: -

Name: HssDrv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HssDrv.sys
Address: 0xB9EA5000 Size: 65536 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB3D57000 Size: 264832 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBAAA8000 Size: 52480 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xB9F05000 Size: 42112 File Visible: -
Status: -

Name: InCDFs.sys
Image Path: C:\WINDOWS\system32\drivers\InCDFs.sys
Address: 0xB494E000 Size: 113024 File Visible: -
Status: -

Name: InCDPass.sys
Image Path: C:\WINDOWS\system32\drivers\InCDPass.sys
Address: 0xBAC80000 Size: 31360 File Visible: -
Status: -

Name: InCDrec.SYS
Image Path: C:\WINDOWS\System32\Drivers\InCDrec.SYS
Address: 0xB8093000 Size: 10624 File Visible: -
Status: -

Name: InCDRm.sys
Image Path: C:\WINDOWS\system32\drivers\InCDRm.sys
Address: 0xB9ED5000 Size: 32896 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xB4894000 Size: 152832 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xB493B000 Size: 75264 File Visible: -
Status: -

Name: irda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irda.sys
Address: 0xB423A000 Size: 88192 File Visible: -
Status: -

Name: irenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irenum.sys
Address: 0xBA48E000 Size: 11264 File Visible: -
Status: -

Name: irsir.sys
Image Path: C:\WINDOWS\system32\DRIVERS\irsir.sys
Address: 0xBAC50000 Size: 18688 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 37248 File Visible: -
Status: -

Name: itchfltr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\itchfltr.sys
Address: 0xBA486000 Size: 11712 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAC60000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB1CA7000 Size: 172416 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB9E3A000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA565000 Size: 92288 File Visible: -
Status: -

Name: L8042pr2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\L8042pr2.Sys
Address: 0xB9F25000 Size: 47232 File Visible: -
Status: -

Name: LMouFlt2.Sys
Image Path: C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
Address: 0xB9F15000 Size: 63328 File Visible: -
Status: -

Name: magicpvt.sys
Image Path: C:\WINDOWS\system32\drivers\magicpvt.sys
Address: 0xBA46E000 Size: 9728 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBADD8000 Size: 4224 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAC68000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8F8000 Size: 42368 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0xB3EED000 Size: 180608 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xB46EA000 Size: 455296 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBABA0000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xBAAD8000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBA420000 Size: 15488 File Visible: -
Status: -

Name: MTictwl.sys
Image Path: C:\WINDOWS\system32\drivers\MTictwl.sys
Address: 0xB809B000 Size: 11744 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA4BE000 Size: 105344 File Visible: -
Status: -

Name: NDIS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NDIS.SYS
Address: 0xBA625000 Size: 182656 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA430000 Size: 10112 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xB42BC000 Size: 14592 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB9356000 Size: 91520 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBAB18000 Size: 40576 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xBA9F8000 Size: 34688 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xB48BA000 Size: 162816 File Visible: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBA978000 Size: 61824 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBABA8000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA4D8000 Size: 574976 File Visible: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAF4C000 Size: 2944 File Visible: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF9E9000 Size: 5783552 File Visible: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB9447000 Size: 6853088 File Visible: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xBA5AE000 Size: 105344 File Visible: -
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xBA998000 Size: 57856 File Visible: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xB9EB5000 Size: 40960 File Visible: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xB9AD1000 Size: 1163264 File Visible: -
Status: -

Name: nvoclock.sys
Image Path: C:\WINDOWS\nvoclock.sys
Address: 0xBADC8000 Size: 6912 File Visible: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA8B8000 Size: 61696 File Visible: -
Status: -

Name: P17.sys
Image Path: C:\WINDOWS\system32\drivers\P17.sys
Address: 0xB9CE6000 Size: 1389056 File Visible: -
Status: -

Name: parport.sys
Image Path: C:\WINDOWS\system32\DRIVERS\parport.sys
Address: 0xB9E81000 Size: 80128 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB38000 Size: 19712 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA680000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB30000 Size: 28672 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB9CC2000 Size: 147456 File Visible: -
Status: -

Name: processr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\processr.sys
Address: 0xBAA88000 Size: 35840 File Visible: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xBADE0000 Size: 7872 File Visible: No
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB9345000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBACB0000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA938000 Size: 35712 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xB808F000 Size: 8832 File Visible: -
Status: -

Name: rasirda.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xBACA8000 Size: 19584 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xB9E95000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xBAAB8000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xBAAC8000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAB50000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xB4782000 Size: 175744 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBADDA000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB9275000 Size: 196224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xB9EE5000 Size: 57600 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2749000 Size: 45056 File Visible: No
Status: -

Name: RT61.sys
Image Path: C:\WINDOWS\system32\DRIVERS\RT61.sys
Address: 0xB9C15000 Size: 356096 File Visible: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xB4A6C000 Size: 4567040 File Visible: -
Status: -

Name: sam_nv4_disp.dll
Image Path: C:\WINDOWS\System32\sam_nv4_disp.dll
Address: 0xBF9D5000 Size: 81920 File Visible: -
Status: -

Name: SASDIFSV.SYS
Image Path: C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Address: 0xBABB0000 Size: 24576 File Visible: -
Status: -

Name: SASKUTIL.sys
Image Path: C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Address: 0xB47AD000 Size: 151552 File Visible: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xB93A9000 Size: 98304 File Visible: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serenum.sys
Address: 0xBA492000 Size: 15744 File Visible: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serial.sys
Address: 0xBAA98000 Size: 64512 File Visible: -
Status: -

Name: sptd.sys
Image Path: sptd.sys
Address: 0xBA6D7000 Size: 851968 File Visible: -
Status: -

Name: SPTD5773.SYS
Image Path: C:\WINDOWS\System32\Drivers\SPTD5773.SYS
Address: 0xBA6BF000 Size: 98304 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA57C000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xB3BC7000 Size: 333952 File Visible: -
Status: -

Name: ssfs0bbc.sys
Image Path: ssfs0bbc.sys
Address: 0xBA8E8000 Size: 45056 File Visible: -
Status: -

Name: sshrmd.sys
Image Path: sshrmd.sys
Address: 0xBA8D8000 Size: 36864 File Visible: -
Status: -

Name: ssidrv.sys
Image Path: ssidrv.sys
Address: 0xBA652000 Size: 188416 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBADCA000 Size: 4352 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB9305000 Size: 60800 File Visible: -
Status: -

Name: tapvpn.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tapvpn.sys
Address: 0xBAAE8000 Size: 45056 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xB48E2000 Size: 361600 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAB28000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xBAAF8000 Size: 40704 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB9217000 Size: 384768 File Visible: -
Status: -

Name: usbccgp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xBABC0000 Size: 32128 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADCE000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xBAC78000 Size: 30208 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xBA988000 Size: 59520 File Visible: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xBAC70000 Size: 17152 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB9E5D000 Size: 147456 File Visible: -
Status: -

Name: usbprint.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbprint.sys
Address: 0xBABB8000 Size: 25856 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBAB98000 Size: 20992 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB9433000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA908000 Size: 52352 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0xBAA08000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBABF0000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB3D98000 Size: 83072 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0xB4F3E000 Size: 12032 File Visible: -
Status: -


=====

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 26 April 2009 - 11:30 AM

Use the file tab at the bottom not the driver tab
Chewy

No. Try not. Do... or do not. There is no try.

#6 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 27 April 2009 - 12:08 AM

Hmm, I started the RootRepeal scan, but apart from constantly saying "initializing, please wait" and "searching from hidden or locked files", the tool shows no other sign of working. The disk light is constantly blinking though, and the PC becomes unusable .

After having waited an hour I restarted the machine. I disabled the wireless connection, disabled F-secure, made a copy of RootRepeal.exe and renamed it to something random, and then I tried scanning again.

I left it running for ten hours overnight, but in the morning the drive light was still blinking and I still had no results.

Is it normal for it to take so long? The second time I only pointed it to my system disk C:, which only contains 34 GB.

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 27 April 2009 - 06:33 AM

With ~79 processes running anything like rootrepeal will have issues, it's probably fighting a rootkit to get a scan and needs all the resources available.

This is not a more is better situation.

smss.exe 560 Windows NT Session Manager Microsoft Corporation
csrss.exe 612 Client Server Runtime Process Microsoft Corporation
winlogon.exe 640 Windows NT Logon Application Microsoft Corporation
services.exe 692 Services and Controller app Microsoft Corporation
svchost.exe 880 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 948 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1080 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1256 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1680 Spooler SubSystem App Microsoft Corporation
svchost.exe 1908 Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 124 Application Layer Gateway Service Microsoft Corporation
svchost.exe 1516 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 704 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1392 Windows Explorer Microsoft Corporation


These are xp's core files

My scan takes less than 5 minutes but I only have 8 gigs on C
Chewy

No. Try not. Do... or do not. There is no try.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 27 April 2009 - 06:38 AM

Will Gmer run in safe mode?

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Try just scanning for files at first
Chewy

No. Try not. Do... or do not. There is no try.

#9 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 April 2009 - 12:07 AM

Hello again,

I ran GMER according to your instructions, in Safe Mode.




The first log is from the startup sequence:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-27 21:00:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]

Code \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation) IoCreateDevice

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8ADBD5D0
Device \FileSystem\Fastfat \Fat 8AAEE9B8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----






Then second log is from the actual scan. I left all the checkboxes checked, and I scanned both the system disk C: and the data disk D:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-04-28 06:54:50
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF750BB3A]
SSDT sptd.sys ZwEnumerateKey [0xF750BC7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF750BFF6]
SSDT sptd.sys ZwOpenKey [0xF750BA18]
SSDT sptd.sys ZwQueryKey [0xF750C0C0]
SSDT sptd.sys ZwQueryValueKey [0xF750BF58]
SSDT sptd.sys ZwSetValueKey [0xF750C148]

Code \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation) IoCreateDevice

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!IoCreateDevice 8059B8BF 5 Bytes JMP F771FB14 \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation)
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\WINDOWS\System32\Drivers\SPTD5773.SYS The process cannot access the file because it is being used by another process.
PAGENPNP NDIS.SYS!NdisRegisterProtocol F784417F 5 Bytes JMP F771F900 \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisOpenAdapter F7844399 5 Bytes JMP F771FF76 \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisCloseAdapter F784E642 5 Bytes JMP F771FA16 \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation)
PAGENPNP NDIS.SYS!NdisDeregisterProtocol F784E821 5 Bytes JMP F771FD88 \WINDOWS\System32\drivers\fsndis5.sys (F-Secure Network Interceptor/F-Secure Corporation)
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 BAC4E4D0 16 Bytes [3C, 6C, 60, 2D, 3E, 4F, 3F, ...] {CMP AL, 0x6c; PUSHA ; SUB EAX, 0x383f4f3e; ARPL [EAX+EAX*2-0x78], CX; MOV DL, 0xe4; XOR EAX, EBX}
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 BAC4E4E1 31 Bytes [D0, C4, BA, A9, 81, 52, 03, ...]
? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7514DB2] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A71E] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys
IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F7515482] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F75153B2] sptd.sys
IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F75152B6] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A032] sptd.sys
IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7514F6E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F7514E06] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7507A32] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7507B6E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7507AF6] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F75086CC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F75085A2] sptd.sys
IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys
IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F7519F78] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7529C82] sptd.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F7529C76] sptd.sys
IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F752A864] sptd.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8ADBD5D0
Device \FileSystem\Fastfat \FatCdrom 8AAEE9B8
Device \Driver\nvata \Device\0000008e 8ADBDA40
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8ADBDEB0
Device \Driver\dmio \Device\DmControl\DmConfig 8ADBDEB0
Device \Driver\dmio \Device\DmControl\DmPnP 8ADBDEB0
Device \Driver\dmio \Device\DmControl\DmInfo 8ADBDEB0
Device \Driver\Ftdisk \Device\HarddiskVolume1 8ADBD0E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8ADBD0E8
Device \Driver\Cdrom \Device\CdRom0 8AD43DE0
Device \Driver\Cdrom \Device\CdRom1 8AD43DE0
Device \Driver\Cdrom \Device\CdRom2 8AD43DE0
Device \Driver\Cdrom \Device\CdRom3 8AD43DE0
Device \Driver\nvata \Device\00000089 8ADBDA40
Device \Driver\Disk \Device\Harddisk0\DR0 8ADBD808
Device \Driver\Disk \Device\Harddisk1\DR1 8ADBD808
Device \Driver\00000440 \Device\0000005f sptd.sys
Device \Driver\nvata \Device\NvAta0 8ADBDA40
Device \Driver\nvata \Device\NvAta1 8ADBDA40
Device \Driver\nvata \Device\NvAta2 8ADBDA40
Device \FileSystem\Npfs \Device\NamedPipe 8AB15370
Device \Driver\Ftdisk \Device\FtControl 8ADBD0E8
Device \Driver\nvata \Device\0000008a 8ADBDA40
Device \FileSystem\Msfs \Device\Mailslot 8AB16628
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port5Path0Target0Lun0 8ABEF7E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port5Path0Target1Lun0 8ABEF7E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1 8ABEF7E8
Device \Driver\nvata \Device\0000008d 8ADBDA40
Device \FileSystem\Fastfat \Fat 8AAEE9B8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 8AAE5598

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1130430266
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -681715049
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 854415196
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x62 0x55 0x87 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x2D 0xE9 0x96 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE2 0x14 0x91 0x04 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xFC 0x9C 0x3F 0xAE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x62 0x55 0x87 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x2D 0xE9 0x96 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE2 0x14 0x91 0x04 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xFC 0x9C 0x3F 0xAE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0x62 0x55 0x87 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x87 0x2D 0xE9 0x96 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9A 0x2F 0xB0 0xB7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x82 0x8B 0x70 0x17 ...

---- EOF - GMER 1.0.15 ----

#10 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 April 2009 - 12:11 AM

Examining the logs a bit closer now I am surprised to see a few F-secure entries. I didn't think F-Secure ran in Secure Mode, since I didn't see its icon anywhere on the toolbar.

Should I have disabled it actively, or is the scan ok?

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:52 PM

Posted 28 April 2009 - 01:07 AM

I assume you are using daemon tools or have used it in the past.

I am not experienced enough to spot something else in that log?

One side note on what you are playing with on these pseudo rootkits

http://forum.daemon-tools.cc/f19/dtscsi-sy...e-install-9673/

What's an update on any signs of an infection?
Chewy

No. Try not. Do... or do not. There is no try.

#12 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 28 April 2009 - 03:07 AM

Hello again,

Yes, I am using Daemon Tools since years back, so that should be ok.

As I wrote in my original post, I had lots of weird things going on during a few days, all of which match other malware posts on this forum. Then, everything started working ok again. The only strange thing now is that RootRepeal does not run properly.

Can a malware uninstall itself? Can it unactivate itself and remain dormant until someone orders it to reactivate? Since I have not found and actively eliminated the source of the problem, I cannot trust my PC. That's what worries me now.

Are there any other scanning tools I could/should run?

#13 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 29 April 2009 - 12:13 AM

Hello again,

I once again run MBAM, with the following results:

Malwarebytes' Anti-Malware 1.36
Database version: 2055
Windows 5.1.2600 Service Pack 3

2009-04-29 07:06:25
mbam-log-2009-04-29 (07-06-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 269372
Time elapsed: 1 hour(s), 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0



The interesting thing, however, is that I found the logs from previous MBAM scans, and one from a few days ago had actually found, and removed malware:



Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

2009-04-24 21:25:01
mbam-log-2009-04-24 (21-25-01).txt

Scan type: Quick Scan
Objects scanned: 85905
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\mplayerplugin.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1fd79a59-37b1-459b-9097-09f9fab8a523} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b97f9125-71a1-48d0-b920-f140ef8de809} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\mplayerplugin.dll (Trojan.BHO) -> Delete on reboot.



So I am beginning to think that maybe I'm clean after all. What do you think?

#14 SurStromming

SurStromming
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 05 May 2009 - 03:15 AM

Ok, let's regard this as CASE CLOSED!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users